Cloud Security

I recently built a cloud-based SOC lab at home using Microsoft Azure and Sentinel. The goal was to simulate a real-world environment to monitor brute-force attacks in real time. I deployed a Windows VM, deliberately exposed it to the internet, and configured Sentinel to ingest and analyze security events. Using KQL (Kusto Query Language), I filtered failed login attempts and linked source IPs to geolocation data via a watchlist. The result: a live, map-based visualization of attack sources from around the world. This was a hands-on way to better understand log analytics, threat detection, and how SIEM tools operate in practice. 🔗 https://lnkd.in/gGjGzpad Inspired by Josh Madakor's tutorial 👏 #Azure #MicrosoftSentinel #SOC #SIEM #KQL #Cybersecurity

This EY incident underscores a truth we often overlook: the most common cloud vulnerability isn't a zero-day exploit; it's a configuration oversight. A single misstep in cloud storage permissions turned a database backup into a public-facing risk. These files often hold the "keys to the kingdom" ie. credentials, API keys, and tokens that can lead to a much wider breach. How do we protect ourselves against these costly mistakes? Suggestions 1. Continuous Monitoring: Implement a CSPM for 24/7 configuration scanning. CSPM is Cloud Security Posture Management -> a type of automated security tool that continuously monitors cloud environments for misconfigurations, vulnerabilities, and compliance violations. It provides visibility, threat detection, and remediation workflows across multi-cloud and hybrid cloud setups, including SaaS, PaaS, and IaaS services 2. Least Privilege Access: Default to private. Grant access sparingly. 3. Data Encryption: For data at rest and in transit. 4. Automated Alerts: The moment something becomes public, you should know. 5. Regular Audits: Regularly review access controls and rotate secrets.

🚨CISA Releases Guidance on Modern Approaches to Network Security🚨 The Cybersecurity and Infrastructure Security Agency (CISA), America's Cyber Defense Agency, and several partners have just released a comprehensive guide on modern approaches to network access security. This report emphasizes the limitations and vulnerabilities of traditional VPN solutions and advocates for adopting more robust and fine-grained security models like Secure Access Service Edge (SASE) and Secure Service Edge (SSE). Key Takeaways: 🔹 VPN Challenges: VPNs are prone to limitations while providing encrypted tunnels for remote access. These issues can expose organizations to significant risks and breaches. 🔹 Value of SASE & SSE: SASE and SSE focus on secure access to web services and applications, combining capabilities like Zero Trust Network Access, secure web gateways, and cloud access security brokers, ensuring all access is continuously verified. Together, they streamline security policies and offer seamless, secure access to data across hybrid environments. 🌐🔒 🔹 Implement Network Segmentation: Network segmentation is crucial for limiting the spread of attacks within an organization. Organizations can contain potential breaches and minimize the impact on critical systems by dividing the network into smaller, isolated segments. 🔀 🔹 Validate Vulnerability Scans on All Public-Facing Enterprise Assets: Regular vulnerability scans on public-facing assets are essential to identify and remediate potential security gaps. Ensuring that these scans are thorough and validated helps maintain a robust security posture and protects against external threats. 🛡️ Organizations transitioning from traditional VPNs to modern network access solutions can significantly benefit from the strategies and best practices outlined in this guide. Implementing these modern approaches strengthens security and aligns with Zero Trust principles, ensuring a more secure and resilient infrastructure. (Full disclosure: I participated in initial discussions about this guidance before leaving CISA earlier this year. Having been in the networking space for almost 30 years, this type of guidance is critical to help shape discussions on how network security is evolving and supports a Zero Trust mindset in new ways). #ZeroTrust #Technology #CloudComputing #SoftwareEngineering

I've set up hundreds of AWS accounts for clients over the years. Here's your essential checklist when starting a new AWS account: 1. Delete default VPC, create a custom one 2. Set up budget alerts 3. Enable CloudTrail logs 4. Configure strong password policy 5. Enforce MFA for all users 6. Enable AWS Resource Explorer 7. Set up IAM roles and least privilege access 8. Enable AWS Security Hub for centralized security management 9. Implement tagging strategy for cost allocation 10. Enable AWS Organizations for multi-account strategy These steps establish a robust foundation for security, cost management, compliance, and scalability. Pro tip: Automate this process with Infrastructure as Code (IaC) tools like AWS CloudFormation, AWS CDK or Terraform. It ensures consistency and saves time on future setups. Which of these do you prioritize? Any crucial steps I missed? Share your thoughts!

So far this year, AI has been speedrunning security incidents: – Mexico: attackers tell Claude they are doing a bug bounty, keep rephrasing until it starts helping, generate scripts, pivot into Mexican government systems, walk away with around 150 GB of taxpayer and government data. – DJI: hobby coder wants to joystick his $2,000 vacuum, uses Claude to poke the API, grabs a token, suddenly has control of 7,000 robot vacuums in 24 countries, complete with live cameras and floor maps because there was no real device ownership check at all. – OpenClaw: Meta’s Director of Safety and Alignment wires an AI agent into her real inbox, tells it to "ask before acting," watches it forget the instruction after context compaction and aggressively delete huge chunks of mail while she sprints to her Mac mini to yank the cord. Fun to read on X. Terrifying if you ship software. Here is the boring hygiene that would have killed most of this: ○ Treat AI like an intern with root access – Never let agents talk directly to prod. Put them behind narrow, well-reviewed internal APIs with strict allowlists. ○ Bind auth to identity and device, not just a random token –Token should be tied to user, device id, and scope. If a token is valid, it should still only control that one vacuum, that one inbox, that one account. ○ Enforce least privilege for everything –Agents get read-only by default. Separate tokens for "read config", "read logs", "change data", "touch money". Rotate often. ○ Never run AI-generated code in the same blast radius –Sandbox it. Separate VPC, separate account, fake data, no production secrets. Promotion to prod always goes through a human code review. ○ Log like a paranoid SRE –Every agent action is auditable: who issued it, which model, which IP, which token, which resource. Alert on weird patterns and mass actions. ○ Put real rate limits in front of sensitive APIs – Even if an agent goes rogue, it should hit a wall before "wipe 150 GB" or "delete 10,000 emails" becomes possible. ○ Keep secrets away from chats – No raw API keys or prod passwords inside prompts, notes, or agent configs. Use secret managers and short-lived credentials only. ○ Validate intent on destructive operations – Extra confirmation flows for delete, rotate, and mass update. Ideally, with out-of-band verification, not just "yes" in the same chat. ○ Test failure modes, not just happy paths – Red team your own agents. Ask "what happens if it forgets this instruction", "what if the token leaks", "what if someone lies about doing a bug bounty". -- ♻️ Share this for future reference 📢 Follow saed ‎for more & subscribe to the newsletter: https://lnkd.in/eD7hgbnk I am now on 📸 Instagram: instagram.com/saedctl say hello, DMs are open

A few months ago, we found a malicious AWS CloudFormation template trying to breach a customer's AWS account. It was disguised as “AWS Support for Fargate” Here’s what it’s really up to: 1. Grants itself administrator-level permissions via a fake support IAM role 2. Deploys a lambda function (in-line) to exfiltrate role ARN to an external API Gateway endpoint 3. Invoke itself using AWS CloudFormation CustomResource 📘 Blue team tips - Always review the IAM roles, policies, and external calls in any template. - Use the IAM Access Analyzer to verify external trust relationships - Don’t blindly trust anything labeled “AWS Support” — verify it first! - Report to AWS Security teams ASAP 📕 Red team tips - The malicious actor is identified by the AWS account ID in the AssumeRole policy. - Consider flooding the API endpoint with randomly generated payloads using fake IAM role ARNs.

🔐 RBAC vs. ABAC: Choosing the Right Access Control for Your IAM Strategy 🚀 In Identity and Access Management (IAM), controlling who can access what is critical. Two powerful approaches—Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC)—offer distinct ways to manage permissions. But which one fits your needs? Let’s break it down! 🧠 🔍 Role-Based Access Control (RBAC) What is it? Assigns permissions based on predefined roles tied to job functions (e.g., "Admin," "Developer"). Users inherit access through their roles. How it works: Admins define roles and assign users to them. Permissions are tied to roles, not individuals. Best for: Organizations with clear hierarchies and stable access needs (e.g., enterprise apps like Salesforce). Pros: Simple to implement and manage. Scalable for large teams with similar access needs. Supported by most IAM tools (e.g., Okta, AWS IAM). Cons: Less flexible for dynamic or complex access scenarios. Can lead to "role explosion" with too many roles. Example: A "Marketing" role grants access to social media tools but not financial systems. Fun Fact: RBAC is a staple in traditional enterprises for its straightforward approach! 🔑 Attribute-Based Access Control (ABAC) What is it? Grants access based on attributes (e.g., user’s department, location, time, or device) using dynamic policies. How it works: Policies evaluate attributes in real-time to decide access (e.g., "Allow access if user is in HR, in the UK, during work hours"). Best for: Dynamic, complex environments like cloud-native apps or zero-trust architectures. Pros: Highly granular and flexible for nuanced access needs. Adapts to context (e.g., location, risk level). Ideal for modern IAM platforms like Ping Identity. Cons: More complex to set up and maintain. Requires robust policy management and attribute data. Example: An employee can access sensitive data only from a secure device in the office. Fun Fact: ABAC’s flexibility makes it a go-to for zero-trust security models! ⚖️ Key Differences: Approach: RBAC uses static roles; ABAC uses dynamic attributes. Flexibility: RBAC is simpler but rigid; ABAC is flexible but complex. Use Case: RBAC suits structured organizations; ABAC excels in dynamic, cloud, or high-security settings. Scalability: RBAC is easier for broad access; ABAC scales better for fine-grained control. 💡 Why They Matter Together: RBAC offers simplicity for standard access, while ABAC provides precision for complex scenarios. Many IAM tools (e.g., SailPoint, Microsoft Entra ID) support both, letting you combine them for hybrid strategies. For example, use RBAC for employee apps and ABAC for sensitive data access. 🔥 Pro Tip: Start with RBAC for quick wins, then layer ABAC for high-risk or dynamic use cases. Tools like Okta or Saviynt make this seamless! Which do you use—RBAC, ABAC, or both? Share your IAM insights or challenges below! 💬 #Cybersecurity #IAM #RBAC #ABAC #Tech

What a surprise for the EU 😱 😉 A recently published expert opinion commissioned by the German Federal Ministry of the Interior has sparked a pivotal discussion on data governance and sovereignty. According to the report, US authorities can exert far-reaching access rights to cloud data managed by US-based companies, even when that data is stored in European data centers and administered through local subsidiaries. This is because legal instruments such as the Stored Communications Act extended by the Cloud Act and Section 702 of FISA focus on the provider’s control, not the physical location of the servers. This finding is a firm reminder that simply hosting data on European soil does not guarantee protection from extraterritorial legal claims. It reveals structural risks in relying on dominant foreign cloud providers for sensitive data and critical digital infrastructure. For Europe to truly uphold its data protection principles and strategic autonomy, the conversation must go beyond compliance checklists and contractual assurances. We need stronger investment in #opensource digital infrastructure and indigenous technologies that reduce dependency on non-European platforms. Open source fosters transparency and auditability while enabling communities and businesses to build on systems that are not bound by foreign legal systems. If #digitalsovereignty is to mean more than a buzzword, we must accelerate our efforts towards resilient, interoperable, and locally governed alternatives. Only then Europe can ensure that its data is governed by the laws and values that its citizens and organisations expect. Source: https://lnkd.in/dtpXiwYN

Here I attached the Cybersecurity Technology Stack. This poster is a complete visual guide to the key cybersecurity tools and technologies across all major categories from SIEM, EDR, XDR, SOAR, TIP, PAM, CSPM to deception technologies, UEBA and more. I created this to help professionals and newcomers get a clearer picture of what solutions are available and how they fit into the larger cybersecurity ecosystem. When I first started working in cybersecurity operations, most environments focused heavily on perimeter defence and endpoint protection. But attackers have evolved. Today, a proper setup requires multiple integrated layers that work together. No single tool is enough. What matters is how these tools connect to give visibility, control and speed in detection and response. If you're building or reviewing your cybersecurity stack, these are the key areas I recommend you consider: 1. Visibility with SIEM •Start with a strong SIEM platform. This will collect logs across your infrastructure from endpoints, firewalls, cloud and identity systems and help detect patterns or anomalies. 2. Real-time Threat Detection with EDR or XDR •Next, deploy EDR to get deep visibility into endpoint activities. If your budget allows, move towards XDR to combine endpoint, network and cloud telemetry into one detection layer. 3. Response Automation with SOAR •As alerts come in, you need a fast and consistent way to respond. A SOAR platform can automate triage, enrich alerts with threat intel and reduce the time analysts spend on manual tasks. 4. Threat Intelligence Integration •No matter how good your SIEM or EDR is, you need context. Use Threat Intelligence Platforms (TIP) to enrich data with external threat indicators and insights. 5. Secure Privileged Access with PAM •If an attacker gets access to a privileged account, the damage can be severe. Implement PAM to secure, manage and audit access to critical systems and credentials. 6. Vulnerability Management •A well-monitored environment still becomes weak if patching is not managed. Use vulnerability scanners and patch management systems to identify and remediate weaknesses quickly. 7. Cloud Security Posture and Identity Management •As more workloads move to the cloud, ensure you have CSPM tools and proper IAM controls in place to prevent misconfigurations and abuse of identity-based access. 8. Advanced Detection with NDR, UEBA, and Deception •For mature setups, consider adding Network Detection & Response, User Behaviour Analytics and deception technologies. These give you deeper layers of defence and help detect stealthy attacks. Building a modern cybersecurity setup is not about chasing tools, but designing an architecture where each solution complements the other. You want detection, correlation, automation and response to happen as smoothly as possible. This is the mindset behind the stack I designed. Every component in this poster plays a role in defending against modern threats.

Today's outages is a great reminder of the most dangerous mentality that pervades our digital world... The belief in the 𝘁𝗼𝗼 𝗯𝗶𝗴 𝘁𝗼 𝗳𝗮𝗶𝗹 cloud provider or centralized service. As such, we said bye-bye to: 😵 Canva 😵 Coinbase 😵 Substack + many more... Today, a significant chunk of the internet, from crypto exchanges to creative platforms, slowed or stopped because of a single point of failure within a major cloud system. 🐘 This event isn't an anomaly; it's a recurring alarm that both investors and entrepreneurs must stop snoozing. The consolidation of the internet onto a handful of hyperscale cloud providers has created unprecedented efficiency and scale. However, it has also created a critical single point of failure, hiding enormous risk under a veneer of convenience. Let's break this down into something more tangible! For Investors: 🪙 Systemic Risk: A company that relies solely on one centralized infrastructure for its entire operation is subject to systemic, unmitigable risk. A 3-hour AWS outage can erase millions in value and severely damage brand trust. 🪙 Due Diligence Must Evolve: Beyond reviewing financials and market share, investor due diligence now requires a deep dive into a company's operational resilience. Ask: Where do you run your core services? What is your failover strategy? How quickly can you move and rebuild this? For Entrepreneurs: 🪙 The Cost of Convenience: Building on a single big cloud is fast, but it compromises your operational independence. You are essentially renting a dependency. 🪙 Reputation is Resilience: In a competitive landscape, your users will forgive occasional technical difficulties, but they will not forgive a total shutdown due to poor planning. Operational resilience is now a core part of your customer value proposition and brand integrity. For the record 💡 a material workload is any application or service whose failure would cripple your business (e.g., core transaction database, user authentication, or primary website). These workloads require a strategic approach that rejects the too big to fail assumption. So next time, you're thinking about hedging all your bets onto a single company, 𝗿𝗲𝗺𝗲𝗺𝗯𝗲𝗿: 𝗥𝗲𝘀𝗶𝗹𝗶𝗲𝗻𝗰𝗲 𝗶𝘀 𝘁𝗵𝗲 𝗻𝗲𝘄 𝗥𝗢𝗜. 😉 The investment and engineering communities must pivot from prioritising sheer scale and convenience to demanding operational resilience because today's downtime isn't just a technical glitch... it's a financial and strategic failure. #buildbetter #scalefaster #failless Mangrove