Improving the Grand Unified Theory of Cloud Governance

| | Cloud Defense, Uncategorized
A smidge over a year ago I wrote the Grand Unified Theory of Cloud Governance. It’s a concept I’ve been playing with for about 5 or 6 years to try ... Read More

On Least Privilege, JIT, and Strong Authorization

| | Cloud Defense, iam, JIT
I’ve been employed as a security professional for over 20 years. I cannot possibly count the number of times I have uttered the words “least privilege”. It’s like a little ... Read More

The Grand Unified Theory of Cloud Governance

One of the toughest lessons I’ve learned as I’ve spent over a decade of my life helping organizations build cloud security programs is how it’s governance, not technology, that’s the real challenge. Yes, the cloud is a dark box full of invisible technical razor blades, but those are manageable with ... Read More

AWS Permission Boundaries for Dummies

| | Uncategorized
AWS permission boundaries are confusing. I know they are confusing because they confused me, and it took me a couple years to figure them out. I also know they are confusing because Corey Quinn said so, and asked for someone to make them less confusing. AWS Copilot, a CLI for ... Read More

When MFA Isn’t Enough

| | Uncategorized
Rule number one in cloud security is, “thou shalt use MFA at all times”. Why? Well, when you move to public cloud computing you essentially take all your administrative interfaces, consolidate them into a single portal or API, and then… put them on the Internet protected with a username, password, ... Read More
Schrodinger’s Misconfigurations

Schrodinger’s Misconfigurations

It’s Thursday afternoon and you’re getting ready to leave work a little early because… you can. But then that pesky Deliverer of Notifications (also known as Slack) pops off a new message in your security alerts channel: Well, darn. Someone just made a snapshot of a storage volume public. Is ... Read More

Implications of the AuthN/AuthZ Gap

It’s become common knowledge that, in cloud, “identity is the new perimeter”. It’s a nice phrase that’s easy to toss into a presentation or an article, but turning it into actionable guidance is a little tougher. Today I want to focus on just one aspect of cloud IAM I call ... Read More