While the constant expansion of the CISO position was a top priority for many at RSAC™ 2025 Conference RSAC Conference 2025, cloud security also seemed to be on everyone’s mind. In some of the week’s top-rated sessions, speakers broke down the fundamentals of creating strong cloud security from the bottom up, looked at current practices and strategies for avoiding some of the most common pitfalls, and examined some of the associated technologies currently employed in the cloud security space. While every speaker at RSAC 2025 Conference approached their subject with a wealth of knowledge and experience, below were some of the some of the most talked about sessions on cloud security that really resonated with audiences.
Rich Mogull, Senior Vice President of Cloud Security at Firemon, began his presentation “Building a Resilient Cloud Security Foundation,” by stressing the importance of abandoning a traditional security mindset when thinking about the cloud. During his 15 years of experience in the field, he helped to develop the Cloud Security Maturity Model, which he recommended as an invaluable framework for those starting out in the cloud or those looking to assess the current strength of their position. Whereas traditional security used to focus on the physical space in which work was being done, Mogull said that the new focus should be on identity and access management (IAM), explaining, "All cloud security failures are identity failures and all identity failures are governance failures." He urged organizations to perform an in-depth inspection of their access governance policy and eliminate as many long-lived credentials as possible while replacing them with least privilege roles. This process should be in conjunction with ensuring that strong multi-factor authentication (MFA) is mandatory for all accounts
In Shaun McCullough’s session, “Story Time: Attacker Tactics Against Cloud Infrastructure,” he recounted some of the harder learned lessons in cloud security with examples of sustained attacks such as those suffered by Cloud Spaces, Tesla’s Kubernetes cluster, and Microsoft Azure’s “Midnight Blizzard” attack.
McCullough, who is a SANS Course Instructor and oversees cloud security for GitHub, argued that many security issues are often operational, rather than technical and explained “The idea that there’s these technical solutions that seem very easy. It’s very easy. You just click a button and turn these off. But in reality, it’s really hard because I have to do fixes across my environment, and I’ve got thousands of codes, apps that are interacting, and I’ve got to change them all.” Like Mogull, McCullough pushed for companies to eliminate long-term credentials and enforce MFA in all instances. In addition, MCullough argued for logging as an essential element for cloud security and explained the ways in which organizations could leverage tools such as Azure’s Policies or Amazon Web Service’s (AWS) automated tooling as a means of automating the logging process. He also stressed the importance of understanding the deployment of an organization’s security resources as he explained, “If you can’t scan it, you can’t secure it.”
Sean Metcalf, Identity Security Architect at TrustedSec, focused his presentation “Your Microsoft Cloud Is the Attacker's Computer,” on the complexities of configuring Microsoft’s Entra ID for IAM. Mismanagement and misconfigurations in Entra ID make it one of the most common attack vectors for bad actors looking to compromise cloud security systems. Metcalf attributed much of the difficulty with Entra to the fact that there are over 100 separate roles that users can be assigned and while many of those roles sound very similar, they can have drastically different levels of access and permissions. With the complexities involved in understanding the subtle differences in these roles, administrators will often misassign users granting them too much power and creating a significant security risk. He pointed out that Privileged Identity Management (PIM), a foundational security control, is often employed incorrectly, and can create a large pool of high-privilege accounts, thus significantly increasing the attack surface. In keeping with recommendations by Mogull and McCullough, Metcalf stressed the importance of enforcing MFA in all circumstances and stated "It's important to prompt users for MFA even inside the corporate network." He encouraged the audience to audit user accounts for elevated access and to review PIM policies to ensure proper permissions and to employ zero trust where applicable.
The explosion of cloud-based computing has been one of the most influential developments in the computing industry. In terms of cybersecurity, the cloud completely changes the way that security teams need to think about their roles and responsibilities.
Whereas physical constraints and on-site security used to play a major role in an organization’s security strategy, the cloud allows for organizations to expand beyond the walls of their physical footprint. This growth comes at the cost of a drastically increased attack surface that security teams need to defend. Mogull, Metcalf, and McCullough shared their insights into the particular difficulties with securing cloud platforms as well as some of the specific strategies that organizations can use to ensure that they are one step ahead of cybercriminals. To watch all of these presentations in their entirety and catch up with all of this year’s best sessions, visit the all-new RSAC Membership Portal, which contains additional content from industry leading experts, opportunities to network and communicate with cybersecurity peers, up-to-date information on the latest news, and emerging trends as well as a new Artificial Intelligence (AI) assistant that can summarize and organize presentations to ensure that all of the most important information is presented in the most relevant manner.