Cloud Security

🚨NSA Releases Guidance on Hybrid and Multi-Cloud Environments🚨 The National Security Agency (NSA) recently published an important Cybersecurity Information Sheet (CSI): "Account for Complexities Introduced by Hybrid Cloud and Multi-Cloud Environments." As organizations increasingly adopt hybrid and multi-cloud strategies to enhance flexibility and scalability, understanding the complexities of these environments is crucial for securing digital assets. This CSI provides a comprehensive overview of the unique challenges presented by hybrid and multi-cloud setups. Key Insights Include: 🛠️ Operational Complexities: Addressing the knowledge and skill gaps that arise from managing diverse cloud environments and the potential for security gaps due to operational siloes. 🔗 Network Protections: Implementing Zero Trust principles to minimize data flows and secure communications across cloud environments. 🔑 Identity and Access Management (IAM): Ensuring robust identity management and access control across cloud platforms, adhering to the principle of least privilege. 📊 Logging and Monitoring: Centralizing log management for improved visibility and threat detection across hybrid and multi-cloud infrastructures. 🚑 Disaster Recovery: Utilizing multi-cloud strategies to ensure redundancy and resilience, facilitating rapid recovery from outages or cyber incidents. 📜 Compliance: Applying policy as code to ensure uniform security and compliance practices across all cloud environments. The guide also emphasizes the strategic use of Infrastructure as Code (IaC) to streamline cloud deployments and the importance of continuous education to keep pace with evolving cloud technologies. As organizations navigate the complexities of hybrid and multi-cloud strategies, this CSI provides valuable insights into securing cloud infrastructures against the backdrop of increasing cyber threats. Embracing these practices not only fortifies defenses but also ensures a scalable, compliant, and efficient cloud ecosystem. Read NSA's full guidance here: https://lnkd.in/eFfCSq5R #cybersecurity #innovation #ZeroTrust #cloudcomputing #programming #future #bigdata #softwareengineering

🏛️ What experts knew, Microsoft finally admitted Microsoft France's legal director recently testified before the 🇫🇷 French Senate about data protection. When asked whether he could guarantee that French citizens' data would never be transferred to US authorities without explicit authorization, he replied: "No, I cannot guarantee that." Microsoft admitted what many of us have been saying for years: American companies follow American laws 🇺🇸 , no matter where they put their servers. - All those European data centers? - The local staff monitoring access? - The "sovereign" cloud services with EU-only promises? ❌ None of it matters when the Cloud Act comes into play. The technical director tried to soften the blow: "European customer data won't leave the EU." But the data doesn't need to leave - US authorities can access it remotely under US law. Amazon, Google, Oracle - every American cloud provider is bound by the same rules. They're all extensions of the US government when it matters. European governments have been paying billions for the illusion of sovereignty. Detailed compliance reports that mean nothing when geopolitics gets serious. The Cloud Act makes this crystal clear: US companies serve US interests first, no matter where they put their servers. #DigitalSovereignty #CloudAct #DataProtection #EuropeanCloud #TrustInTech #PrivacyByDesign

Over the past year, the number of users clicking on phishing links has nearly tripled! Research by Netskope in their recent Cloud and Threat Report showed an increase from 2.9 in 2023 to 8.4 out of every 1,000 users in the average organisation clicking on a phishing link each month. This increase comes despite most organisations requiring users to undergo security awareness training to avoid phishing attacks. The main factors leading to this increase are cognitive fatigue and the creativity and adaptability of the attackers in delivering harder-to-detect baits. The top target for phishing campaigns users clicked on in 2024 were cloud applications, representing over one-quarter of the clicks. These findings did not surprise me, as most of the breaches our MinterEllison cyber team responded to were caused by social engineering/phishing.

As security engineers, we spend countless hours writing scripts, building dashboards, and chasing drift across fleets of EC2 instances and Kubernetes clusters, all in the name of “continuous compliance.” But what if instead of reacting to drift, we proactively queried our infrastructure the same way a language model queries a knowledge base? That’s the promise behind deploying a Model Context Protocol (MCP) server on AWS, a way to let AI agents securely ask “Is AIDE configured for host integrity?” or “Are EKS nodes enforcing FIPS-compliant ciphers?” and get structured, testable answers in real time. This isn’t about using LLMs to replace auditors. It’s about turning security questions into machine-verifiable actions: checking whether auditd is configured with immutable logs, confirming whether VPC microsegmentation rules align with Zero Trust, or ensuring CloudWatch is alerting on unauthorized config changes, all through declarative MCP interfaces. When deployed correctly, MCP could potentially become a middleware for security posture validation. On AWS, for example this means marrying IAM roles, signed task runners, and context-aware policies to let agents check config states without over-permissioning. Imagine an LLM automatically validating that a hardened AMI hasn’t diverged from your CIS/STIG baseline, or flagging missing log forwarding on a new K8s namespace. This is more than automation. It’s about turning security into a queryable surface, where evidence, not effort, drives assurance. 🔗 How to securely run Model Context Protocol (MCP) servers on the AWS Cloud using containerized architecture: https://lnkd.in/eiEhR527 🔗 Guidance for Deploying Model Context Protocol Servers on AWS: https://lnkd.in/er6r6Pxw

What happens if the new US Government tears up the Cloud Act?   Experience shows that without any warning they aren’t shy about ripping up international agreements (trade or otherwise). There’s growing concern that we could wake up one morning to find that the Cloud Act and associated digital sovereignty frameworks are gone with one stroke of a pen.   This isn’t abstract fear-mongering. It’s a very real risk. Personally, I’d hate to be sitting in front of a Select Committee, or my CEO, explaining why we didn’t have a Plan B.   If these legal protections disappear, UK and EU organisations could become non-compliant overnight, just by continuing to store or process personal data in US-owned public cloud infrastructure. That includes M365, AWS, Azure, Google Workspace, Oracle, Salesforce, Dropbox, the list goes on.   All your data would be exposed to extraterritorial US surveillance or seizure, with no meaningful legal route to challenge it under UK or EU law. The EU–US Data Privacy Framework is already on shaky ground. If the US withdraws (again), UK firms relying solely on public cloud could be left stranded, with data protection regulators forced to respond.   So, what’s the low-risk path forward?   It’s hybrid cloud (on premise or hosted). But done properly and not a panicked knee jerk reaction, where the non-public cloud components are delivered and governed locally by you, or a UK-based provider under domestic law. Right workload, right place, right time... (and supporting UK businesses to grow and become future unicorns), growing our tax base and helping communities. This doesn’t just mindlessly tick compliance boxes. It also brings greater control, clearer governance, and a meaningful reduction in business risk.   In this climate, that’s not a nice-to-have… it’s beyond essential. Even if you disagree, its gotta be worth documenting why internally. Don't leave yourself exposed, it could be very career limiting.   Can I sell it to you? Nope, not my bag. But there are plenty of awesome local providers who deserve your attention that I can point you at.

🌍 The Shift in Europe: Moving Away from US Hyperscalers 🌩️ As geopolitical concerns, data sovereignty, and pricing instability grow, European companies are making bold moves in their cloud strategies—and the implications are massive. Over the past 15 years, reliance on public cloud giants like AWS, Microsoft, and Google has skyrocketed. But now, we’re seeing a strategic pivot unfolding across Europe, as organizations mitigate risks and embrace alternative solutions to protect their future. 🎯 Why the shift? ✅ Data Sovereignty: Stricter data protection laws like GDPR and fears over compliance with laws like the US CLOUD Act are driving demand for European-managed cloud solutions and sovereign cloud providers. Organizations are prioritizing control over their sensitive data and leaning into platforms that support their unique privacy needs. ✅ Security and Trust: Concerns over potential government interference, espionage, and vendor lock-in are making European businesses rethink their current reliance on US-based hyperscalers. The rising interest in diverse, multi-cloud strategies and locally governed services reflects the growing importance of trust in cloud decisions. ✅ Economic Predictability: Increasing costs from hyperscalers have raised concerns about long-term pricing stability. Enterprises are recognizing that forward-looking cloud strategies need to include providers that prioritize pricing transparency and tailored solutions. 🎯 What’s the result? A diverse and dynamic cloud ecosystem is emerging in Europe, leaning on open-source technologies, sovereign cloud providers, and tailored private cloud solutions. Platforms like OpenStack and others are paving the way for digital transformation without compromising on compliance or strategy. As businesses explore these new approaches, multi-cloud strategies, hybrid environments, and innovative pricing models are becoming essential for mitigating risks and staying competitive within an ever-evolving cloud landscape. 📢 This shift isn’t just about technology—it’s about geopolitics, trust, and long-term business resilience. Let’s embrace a future where diversity in cloud ecosystems fosters innovation, enhances security, and ensures sovereignty. What are your thoughts on this shift towards sovereign and multi-cloud solutions? 💭 Let’s discuss! #CloudComputing #DataSovereignty #SovereignCloud #MultiCloud #Geopolitics #Innovation

Your data might be physically in another country, but it isn't in that country. If it's with an American company, it's in America. Microsoft's recent confirmation that U.S. law takes precedence over Canadian data sovereignty isn't just a tech issue, it's a privacy nightmare. We've been told our data is "safe" in the cloud, but the reality is more complicated. The CLOUD Act means a valid U.S. legal request can pull your information, no matter where it's stored. Relying solely on foreign cloud providers puts a company's data autonomy at risk. The real play here isn't just about security; it's about control. And right now, many of us have less than we think. Microsoft's precedent here sets us on a slippery slope. #DataSovereignty #CloudComputing #TechPolicy #Privacy #CLOUDAct

Machine IAM is vast and thus difficult, but luckily we have a handy box of great tools, technology, approaches and framework to help us. They make what seems like an insurmountable challenge manageable. Let’s open that tool box and take a look: Authorization frameworks (AuthZen, OPA, XACML, and Cedar) offer fine-grained, access control. They separate authorization logic from code, enabling dynamic policy enforcement based on attributes about the user, action, resource, and environmental context. This makes it easier to define, maintain and scale consistent access controls across systems. Kubernetes Secrets & service accounts help decouple sensitive information like API keys, credentials and certs from application code and infrastructure configuration, or provide identities with dynamic tokens. PKCE and DPOP: PKCE stops attackers from stealing your authorization codes, making OAuth safer for apps. DPoP locks tokens to your device, so even if stolen, they can’t be reused elsewhere. Secrets management tools (AWS and GCP Secrets Manager, Azure Key Vault, CyberArk Conjur, Hashicorp Vault, OpenBao) provide a secure, centralized way to store and control access to sensitive information such as credentials, API keys, and certificates. They help organizations move away from hardcoded secrets and make it easier to manage secrets across a variety of environments. Secure Production Identity Framework for Everyone (SPIFFE) establishes a universal identity standard for workloads. It issues cryptographically verifiable identities, enabling workloads to securely authenticate with each other across clouds or data centers. SPIFFE removes the need for hardcoded secrets and simplifies zero-trust architectures by automating identity provisioning and rotation. Service meshes (Istio, Linkerd, Teleport) secure and manage service-to-service communication, automating discovery, credentials, and policy enforcement. They embed identity, authentication, and authorization into network traffic, allowing only trusted workloads to interact, while improving visibility and control in complex systems. Token exchange: Think of token exchange as a way to trade one set of credentials for another with just the right privileges for a given task. OAuth 2.0 Token Exchange allows applications to swap tokens, transforming an initial identity or scope into a new, tightly-scoped credential tailored for downstream systems. This minimizes risk by granting only the permissions needed, when needed, keeping your security posture nimble and auditable across complex cloud environments. Workload identity managers (Astrix, Clutch, Entro, Oasis, Token Security, Natoma): Manage legacy and static identities by discovering accounts, static keys, and various credentials. They track ownership, support identity lifecycle management, assist with some credential rotation, and help enforce security policies for these constructs. I’ll be writing more about each one of them. #MachineIAM #NHI #IAM

📌 How to Build a Comprehensive Zero Trust Architecture on Azure Zero Trust means "never trust, always verify", no implicit trust for users, devices, apps, or networks, even if they’re inside the perimeter. A layered strategy combining strong identity, device compliance, adaptive access, network segmentation, runtime controls, and continuous monitoring helps you achieve true Zero Trust at scale. ❶ Strong Identity Control ◆ Use Microsoft Entra ID (Azure AD) to centrally manage human and workload identities. ◆ Enable MFA, Conditional Access, and risk-based sign-in to block suspicious logins. ◆ Automate access lifecycle and reviews with Entra ID Governance. ❷ Device Compliance Enforcement ◆ Manage devices with Intune to enforce compliance policies. ◆ Use Defender for Endpoint for real-time detection and automated response. ◆ Require healthy device posture before granting access. ❸ Adaptive Conditional Access ◆ Evaluate signals (location, device, session risk) before granting access. ◆ Block or require extra authentication dynamically. ◆ Reduce lateral movement by combining identity and device signals. ❹ Network Segmentation & Edge Protection ◆ Segment workloads with Azure Firewall, NSGs, and micro-segmentation. ◆ Use Application Gateway with WAF or Azure Front Door to protect against OWASP top 10. ◆ Leverage Secured Virtual Hub for centralized inspection and policy enforcement. ❺ Runtime & App Controls ◆ Use Defender for Cloud Apps to monitor SaaS and on-prem activity. ◆ Enable GitHub Advanced Security for code and supply chain protection. ◆ Apply Defender for Cloud runtime controls to containers, VMs, and serverless. ❻ Data Protection ◆ Use Purview to classify, label, and protect data. ◆ Encrypt data at rest and in transit; integrate Defender for Office 365 to block phishing. ◆ Manage privacy risk with Microsoft Priva. ❼ Continuous Threat Detection & Response ◆ Centralize detection and automation with Microsoft Sentinel. ◆ Use Defender for Cloud Secure Score and threat intelligence to improve posture. ◆ Automate remediation with playbooks. ❽ App & Infrastructure Hardening ◆ Enforce adaptive access for SaaS and on-prem apps. ◆ Extend security to multi-cloud and on-prem with Azure Arc. ◆ Use private endpoints and managed identities to eliminate secrets. ❾ API & Private Connectivity ◆ Use Defender for APIs to protect against common attacks. ◆ Expose APIs via App Gateway and APIM; block direct public access. ◆ Secure internal traffic with private links and internal DNS. ❶𝟎 Telemetry & Governance ◆ Monitor signals across identity, devices, networks, and apps. ◆ Track posture with Secure Score and automate compliance reporting. ◆ Use Just-In-Time access to reduce standing privileges. By combining these layers, you create an Azure environment that is secure, adaptive, and resilient, protecting all entry points and data without slowing innovation. #cloud #security #azure

Many businesses moving to RISE with SAP assume their security is covered. It’s not. As SAP customers embrace RISE for its cloud benefits, a dangerous misconception has emerged: “RISE with SAP will automatically secure our systems.” Reality check: RISE brings efficiency, but it doesn’t instantly shield your SAP environment from cyber threats. It operates on a shared responsibility model – SAP secures the infrastructure, but you are still responsible for protecting your applications, data, and users. In short, cloud or not, you must own your SAP security. Here’s what every business on SAP RISE needs to know: RISE ≠ Standalone Security: While RISE offers cloud infrastructure, updates, and basic safeguards, it doesn’t protect your SAP applications from misconfigurations, unpatched vulnerabilities, or unauthorized access. Cyber threats don’t disappear in the cloud — they evolve. Proactive Protection is necessary: Cloud adoption doesn’t mean automatic security. You must monitor for new vulnerabilities, monitor SAP patches, enforce least-privilege access controls, and ensure regulatory compliance. If you’re not actively securing your SAP systems, who is? Comprehensive Security Strategy: Treat SAP security as an ongoing journey, not a one-time setup. Make sure you have real-time threat detection in place – you need to know immediately if suspicious activity occurs in your SAP environment. Our recommendations? Prioritize robust patch and vulnerability management – cyberattacks often exploit known SAP vulnerabilities, so closing those gaps quickly is critical. Implement continuous monitoring of your SAP landscape (logs, configurations, user behavior) to catch anomalies before they evolve into incidents. This 360° vigilance is the only way to ensure your SAP systems remain protected day in, day out. In essence, security can’t be “set and forget” – it requires constant eyes on the ball.