Hello? Whose Service Account Keys Are These? - GCP Security and Long-Lived Credentials
fwd:cloudsec via YouTube
Earn Your Business Degree, Tuition-Free, 100% Online!
AI, Data Science & Cloud Certificates from Google, IBM & Meta
Overview
Google, IBM & Meta Certificates – 40% Off
One plan covers every Professional Certificate on Coursera.
Unlock All Certificates
Explore the critical security risks associated with long-lived credentials in Google Cloud Platform environments through this 20-minute conference talk by Lee Livsey from Reversec. Examine the persistent challenges organizations face with insecurely stored service account keys, including real-world examples of security breaches caused by credentials exposed in public repositories and internet-accessible services. Discover how third-party SaaS solutions requiring cloud access keys create additional complexity and visibility challenges for credential management. Learn about core issues within GCP's service account key system and broader IAM model through practical examples demonstrating potential impact when security practices fail. Gain insights from a newly identified vulnerability case study involving a managed GCP service that could have allowed malicious attackers to obtain privileged access to organizational GCP projects. Understand the vulnerability disclosure process and experiences working with Google's security team to address these issues. Acquire knowledge about identifying over-permissive long-lived credentials, alternative approaches to minimize attack windows, and strategies for security teams to better manage credential risks in GCP estates.
Syllabus
Hello? Whose service account keys are these?
Taught by
fwd:cloudsec