News

The Expert's Cloud Security Best Practices: 2025 Edition

In a climate of escalating cloud threats and increasingly sophisticated adversaries, knowing what you're doing is more than good advice -- it's a necessity. That was the central message from Ian Thornton-Trump during his keynote at today's "Midyear Cloud Security Check-In Summit," now available for on-demand replay.

His session, titled "The Expert's Cloud Security Best Practices: 2025 Edition," urged IT teams to prioritize cloud knowledge, skills, and training as a fundamental layer of defense.

The No. 1 Way to Protect Cloud Operations
Thornton-Trump, a CISO at Inversion 6, pulled no punches on what he sees as the leading safeguard for cloud security: competency.

"The number one way that I'm telling everyone here to deal with your cloud security vulnerabilities is know what you're doing."

Ian Thornton-Trump, Chief Information Security Officer, Inversion6

"The number one way that I'm telling everyone here to deal with your cloud security vulnerabilities is know what you're doing," he said as a special point of emphasis.

This wasn't just off-the-cuff commentary. It was backed by a vivid slide on professional certifications and training badges, emphasizing the level of cloud expertise that attackers now bring to their campaigns. The implication: defenders need at least equal levels of fluency if they hope to stand a chance.

'Do You Know Cloud?'
[Click on image for larger view.] 'Do You Know Cloud?' (source: Thornton-Trump).

"We cannot just take a service, right, and a half dozen servers that it's running on and put them up into the cloud and think magically they're now secure. That's not how it works," he warned. "In fact, I would say once you take them out of the on-premise environment, you're exposing all of the creaky parts of them to the entire internet if you don't know what you're doing.

He also called out the disparity in cloud training across IT teams: "You have absolutely no business trying to do digital transformation in your organization if you don't have people that have got these qualifications for the environment that you're working on."

Thornton-Trump encouraged teams to view cloud training as an investment, not an expense: "This is really about building the internal capacity to support the digital transformation projects that your organization wants to take on."

Cloud Misconfigurations Still Dominate
Throughout the session, Thornton-Trump returned again and again to the risks posed by misconfigurations in cloud infrastructure. He cited a long list of common cloud security lapses -- many stemming directly from lack of training or experience.

  • Insecure use of data backups -- "Snapshots are not backups."
  • Insecure API keys and object storage misconfigurations -- "You didn't know what you were doing."
  • Orphaned resources -- Abandoned projects still accessible and potentially vulnerable.

"Backups had been destroyed," he noted of the Marks and Spencer breach, linking the failure to architectural gaps and attacker knowledge of backup workflows.

'Do You Know Cloud?'
[Click on image for larger view.] 'Victims Appear Not To Know Cloud Sec Controls' (source: Thornton-Trump).

Know Your Adversaries (Because They Know the Cloud)
The summit keynote didn't just focus on defensive gaps -- it highlighted what makes today's threat actors especially dangerous. Groups like Scattered Spider and Dragon Force, often comprised of teenaged hackers, demonstrate an alarming level of cloud platform mastery. They routinely exploit cloud APIs, spin up infrastructure in victim environments, and wipe out backups.

"They will build a server. They will use that server to exfil your data and they will ransomware all the things that they can get their hands on," Thornton-Trump explained. "The bad guys know this infrastructure… They have probably taken these courses just to figure out how to ruin your day."

Brief Highlights: Additional Key Takeaways

  • Retail Cloud Breaches: A Case Study in Consequences: Marks and Spencer reportedly suffered up to $400 million in losses after attackers destroyed ERP, HR, and customer loyalty systems. Thornton-Trump used this case to illustrate how cloud breaches often cascade from weak help desk procedures and untrained staff.
  • Ransomware Meets Cloud Infrastructure: Attackers are using leaked keys and native cloud features (like AWS SSE-C encryption) to lock organizations out of their own S3 buckets. Tools like Trufflehog are often employed to scrape secrets from public repos.
  • Social engineering attacks: He described how attackers impersonate internal staff or third-party vendors (such as help desk providers) to bypass security controls. The Marks and Spencer breach was highlighted as a cautionary tale of what happens when social engineering meets weak process validation.
  • The rise of new threat groups: Groups like Scattered Spider, APT Teens, and Dragon Force were profiled as technically adept, well-organized, and often composed of young actors who specialize in cloud-native attacks and ransomware-as-a-service partnerships.
  • SaaS-targeted threats: He detailed how attackers exploit platforms like Salesforce by tricking admins into installing rogue integrations, such as tampered Data Loader apps, to silently exfiltrate data.
  • Misuse of cloud-native features: Thornton-Trump warned about attackers "living off the land" in environments like AWS, using built-in encryption (e.g., SSE-C on S3) and automation pipelines to encrypt or destroy data.
  • Crypto mining in compromised cloud accounts: He highlighted a case where a single attacker used access to 5,000 cloud accounts to spin up massive compute environments and net over $1.8 million in cryptocurrency -- simply by hijacking cloud resources.
  • Layered defenses and incident response: His mitigation guidance emphasized immutable backups, offline storage, network segmentation, strict help desk validation, and privileged account lockdowns, especially for sensitive platforms like VMware ESXi.
  • Final Advice: Security Requires Layers and Leadership: Thornton-Trump concluded with a call for defense in depth: help desk validation procedures, immutable backups, network segmentation, and least privilege controls across identity systems. "Implement a least privilege policy… You are coming into the office boots together, you're not even getting your password reset without interacting with an actual human being," he said.

As Thornton-Trump reminded attendees: knowing what you're doing isn't just about defending infrastructure -- it's about understanding how the infrastructure itself can be weaponized. Beyond those top topics discussed above, Thornton-Trump also covered a range of other key topics. You can learn all about those in the replay.

And More
And, although replays are fine -- this was just today, after all, so timeliness isn't an issue -- there are benefits of attending such summits and webcasts from Virtualization & Cloud Review and sister sites in person. Paramount among these is the ability to ask questions of the presenters, a rare chance to get one-on-one advice from bona fide subject matter experts (not to mention the chance to win free prizes -- in this case a Bose SoundLink Max Portable Speaker, which was awarded to a random attendee during a session by sponsor Wiz, a leading cloud security specialist).

With all that in mind, here are some upcoming summits and webcasts coming up from our parent company in the next month or so:

About the Author

David Ramel is an editor and writer at Converge 360.

Featured

Most   Popular

Subscribe on YouTube