Improving the Grand Unified Theory of Cloud Governance
A smidge over a year ago I wrote the Grand Unified Theory of Cloud Governance. It’s a concept I’ve been playing with for about 5 or 6 years to try ... Read More
On Least Privilege, JIT, and Strong Authorization
I’ve been employed as a security professional for over 20 years. I cannot possibly count the number of times I have uttered the words “least privilege”. It’s like a little ... Read More
The Grand Unified Theory of Cloud Governance
One of the toughest lessons I’ve learned as I’ve spent over a decade of my life helping organizations build cloud security programs is how it’s governance, not technology, that’s the real challenge. Yes, the cloud is a dark box full of invisible technical razor blades, but those are manageable with ... Read More
AWS Permission Boundaries for Dummies
AWS permission boundaries are confusing. I know they are confusing because they confused me, and it took me a couple years to figure them out. I also know they are confusing because Corey Quinn said so, and asked for someone to make them less confusing. AWS Copilot, a CLI for ... Read More
When MFA Isn’t Enough
Rule number one in cloud security is, “thou shalt use MFA at all times”. Why? Well, when you move to public cloud computing you essentially take all your administrative interfaces, consolidate them into a single portal or API, and then… put them on the Internet protected with a username, password, ... Read More

Schrodinger’s Misconfigurations
It’s Thursday afternoon and you’re getting ready to leave work a little early because… you can. But then that pesky Deliverer of Notifications (also known as Slack) pops off a new message in your security alerts channel: Well, darn. Someone just made a snapshot of a storage volume public. Is ... Read More
Implications of the AuthN/AuthZ Gap
It’s become common knowledge that, in cloud, “identity is the new perimeter”. It’s a nice phrase that’s easy to toss into a presentation or an article, but turning it into actionable guidance is a little tougher. Today I want to focus on just one aspect of cloud IAM I call ... Read More