The Not So Boring Threat Model of CSP-Managed NHI’s
Unknown
BSides Las Vegas 2025 · Day 1
**Cat Traxler**, introducing herself as principal security researcher at **Vector AI**, delivers a comparative threat model of **cloud service provider (CSP) managed non-human identities (NHIs)** across **AWS**, **Google Cloud**, and **Microsoft**. She explicitly states discomfort with the **NHI** moniker as an industry catch-all but uses it as the shared vocabulary for identities that are not end users—especially the background principals CSPs create and manage on customers’ behalf. The talk’s structure follows a simple threat-modeling scaffold: what object is in scope, what is unique about each cloud’s architecture, what vulnerability patterns follow from those design choices, and what customers can actually prevent versus only detect. The tone is direct and comparative (“who wore it best”), culminating in a blunt grading slide and a promise of a forthcoming white paper with deeper references.
AI review
A crisp cross-cloud identity threat model that names concrete architectural invariants (multi-tenancy, birthrights, hybrid ownership) and maps them to attacker logic without pretending the clouds are equivalent.