Cloud Transition Challenges - From Posture Management to AI-Ready SOCs

This week's newsletter explores the evolving landscape of cloud security with insights from Palo Alto Networks executive Elad Koren. We cover critical developments including SAP zero-day patches, Kubernetes service account token integration, vulnerable Helm charts, and Steam's alleged 2FA breach, while examining how security operations centers must evolve to handle cloud-native incidents.

Author

Shilpi Bhattacharjee
May 14, 2025

Hello from the Cloud-verse!

This week’s Cloud Security Newsletter Topic is - Cloud Transition Challenges - From Posture Management to AI-Ready SOCs (continue reading) 

This image was generated by AI. It's still experimental, so it might not be a perfect match!

Incase, this is your 1st Cloud Security Newsletter! You are in good company!
You are reading this issue along with your friends and colleagues from companies like Netflix, Citi, JP Morgan, Linkedin, Reddit, Github, Gitlab, CapitalOne, Robinhood, HSBC, British Airways, Airbnb, Block, Booking Inc & more who subscribe to this newsletter, who like you want to learn what’s new with Cloud Security each week from their industry peers like many others who listen to Cloud Security Podcast & AI CyberSecurity Podcast every week.

Welcome to this week's edition of the Cloud Security Newsletter!

In this issue, we're diving deep into the evolving landscape of cloud security with a special focus on how Security Operations Centers (SOCs) need to adapt to cloud-native environments. Our featured guest, Elad Koren from Palo Alto Networks, brings nearly two decades of cybersecurity expertise and offers valuable insights on the evolution of cloud security, the impact of AI, and the importance of runtime protection..

📰 THIS WEEK'S SECURITY NEWS

🤖 Microsoft Warns Default Helm Charts Could Leave Kubernetes Apps Exposed to Data Leaks

Microsoft's Defender for Cloud Research team has warned that using out-of-the-box Helm charts for Kubernetes deployments could lead to serious security misconfigurations. These pre-made templates often prioritize ease of use over security, exposing services externally without proper network restrictions and lacking adequate authentication by default. Vulnerable projects identified include Apache Pinot, Meshery, and Selenium Grid More Information here.

Why it matters: For cloud security practitioners, this highlights the critical need to review all default configurations before deployment in production environments. Default settings in cloud-native technologies are often optimized for developer experience rather than security. Implementing a strong review process for Helm charts and other IaC templates should be a fundamental part of any cloud security program.

🚨 SAP Patches Second Zero-Day Flaw Exploited in Recent Attacks

SAP has released patches for a second zero-day vulnerability (CVE-2025-42999) that was being exploited alongside a previously patched vulnerability (CVE-2025-31324) in SAP NetWeaver. According to Onapsis CTO Juan Pablo Perez-Etchegoyen, attackers have been chaining both vulnerabilities since January 2025 to execute arbitrary commands remotely without authentication. The Shadowserver Foundation is tracking over 2,040 vulnerable SAP NetWeaver servers exposed online. More Information here.

Why it matters: Supply chain attacks targeting business-critical applications like SAP represent a significant risk to cloud environments where these applications are increasingly being hosted. Cloud security teams should prioritize patching these vulnerabilities immediately and implement additional monitoring for suspicious activity targeting SAP instances in their environment.

🔍 Kubernetes v1.33 Enhances Container Image Pull Security with Service Account Tokens

Kubernetes v1.33 introduces Service Account Token Integration for Kubelet Credential Providers in alpha. This feature allows credential providers to use pod-specific service account tokens to obtain registry credentials for image pulls, eliminating the need for long-lived image pull secrets. This enhancement brings workload-specific authentication, automatic token rotation, and better isolation between workloads. More Information here.

Why it matters: The move from long-lived secrets to ephemeral, automatically rotated tokens represents a significant security improvement for cloud-native environments. Cloud security teams should evaluate this feature as it reduces the attack surface associated with persistent credentials in the cluster and aligns with the principle of least privilege.

☠️ UK Government Moving from Passwords to Passkeys for Enhanced Web Security

The UK government has announced plans to roll out passkey technology across its digital services this year, replacing traditional passwords. Government websites, including HMRC and NHS sites, will start offering the ability to use cryptographic keys stored on phones or laptops for more secure authentication. Microsoft has also announced plans to make new Microsoft accounts "passwordless by default." More Information here.

Why it matters: As cloud services become more integral to critical infrastructure, improving authentication security becomes paramount. Passkeys offer stronger protection against phishing and credential theft compared to traditional passwords and even SMS-based two-factor authentication. Cloud security teams should consider similar authentication improvements for their own services.

CLOUD SECURITY TOPIC OF THE WEEK

Cloud Transition Challenges - From Posture Management to AI-Ready SOCs

  • Elad Koren (VP, Product Management, Cortex Cloud)

Definitions and Core Concepts 📚

Before diving into our insights, let's clarify some key terms:

  • Runtime Protection: Security controls that operate while applications and infrastructure are running in production, detecting and preventing attacks in real-time.

  • CSPM (Cloud Security Posture Management): Tools that assess cloud configurations against security best practices and compliance frameworks.

  • CNAPP (Cloud-Native Application Protection Platform): Integrated solutions that combine workload protection, CSPM, and application security.

  • Cloud SOC: A security operations center equipped with the tools, knowledge, and processes to detect and respond to cloud-specific security incidents.

This week's Issue is sponsored by Varonis

Redefining Data Security Strategies for a Gen AI World

AI is transforming how we work — but is your data security keeping up?

Learn from our data security experts to better understand the AI risk landscape, how to protect your data without slowing down company progress, and better yet - how to use AI to your advantage for even better data protection.

Sign up today for our free session and get access to a free Generative AI risk assessment when you attend.

💡Our Insights from this Practitioner 🔍

The Cloud Security Evolution Timeline

According to Elad Koren, the cloud security landscape has undergone a remarkable transformation over the past 15 years. "About 15 years ago... just the mere thought of going to cloud was, why cloud. No way. Like I will not take my business to the cloud because the risk is too high," he recalls. Today, however, "even financial institutions, even as big as one of the major US banks, their infrastructure is in the cloud."

This shift occurred because cloud providers and security vendors developed tools that could adequately secure cloud environments. The initial focus was on Cloud Security Posture Management (CSPM), which emerged around 6-7 years ago to help organizations maintain proper security hygiene in their cloud environments.

The Inflection Point: From Posture to Runtime

However, a significant inflection point occurred about 1-2 years ago. As Koren explains, "that inflection point that happened about a year or two ago, where you started seeing the shift from posture, CNAPP maintaining the hygiene for cloud to, hey. Does your SOC understand your cloud? Do they understand how an incident looks like?"

This represents a critical evolution in cloud security thinking. While maintaining good posture (proper configurations, least privilege, etc.) remains important, organizations now recognize the need for runtime protection and cloud-aware security operations. As Koren puts it, "a true cloud solution today must have all the pillars starting all the way left to solve things as soon as possible... but just as important, the protection on that runtime, that cloud environment and having the SOC with the right tools in place."

The Double Challenge: Cloud Complexity and AI Acceleration

Organizations face a dual challenge today:

  1. Cloud Complexity: Many organizations still struggle with cloud adoption due to the sheer number of services and configuration options. Koren compares it to moving from a 15-year-old car with a stick shift to a Tesla: "You have so many options and suddenly you're using something you didn't even know exists." This complexity creates security gaps that attackers can exploit.

  2. AI Acceleration: Artificial intelligence is accelerating both development and attacks. "It helps organizations move much quicker, just like the cloud... but it also helps the attackers move much faster," Koren warns. Attackers now have sophisticated tools powered by AI at their disposal, creating what Koren describes as "the wild west."

Building a Modern Cloud Security Program

For organizations building or enhancing their cloud security programs, Koren recommends:

  1. Establish Clear AI Policies and Monitoring: "We have a very clear policy of AI and AI usage. We monitor, we understand the models use the posture management security posture management of these AI tools. And we have active tools to prevent this AI from being abused."

  2. Adopt a Holistic Data Security Approach: Data used by AI systems is the same data used across all data stores, requiring a comprehensive security strategy.

  3. Implement Runtime Protection with Full Visibility: Security teams need complete visibility from the point of entry (e.g., a phishing email) all the way to cloud resources. Koren emphasizes, "if you don't have the signals coming in from all of that for your investigation, then you're blind right here or half blind."

  4. Start with Security Education and Enforcement: For organizations just beginning their cloud journey, Koren advises: "If you educate your organization that the engineering and your development organization is adhering to those codes of conduct... using the vault, using the right practices for secured coding... and you enforce it from day one in your cloud journey, then you'll have a much easier live layer."

  5. Choose Solutions That Can Adapt Quickly: Select security solutions that can rapidly respond to new threats as they emerge.

Question for you? (Reply to this email)

What’s your Anti-Pattern for AWS SOC in 2025?

Next week, we'll explore another critical aspect of cloud security. Stay tuned!

We would love to hear from you📢 for a feature or topic request or if you would like to sponsor an edition of Cloud Security Newsletter.

Thank you for continuing to subscribe and Welcome to the new members in tis newsletter community💙

Peace!

Was this forwarded to you? You can Sign up here, to join our growing readership.

Want to sponsor the next newsletter edition! Lets make it happen

Have you joined our FREE Monthly Cloud Security Bootcamp yet?

checkout our sister podcast AI Cybersecurity Podcast