Cloud Security

𝟮𝟬 𝗧𝗼𝗽 𝗔𝗣𝗜 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗧𝗶𝗽𝘀 1. 𝗜𝗺𝗽𝗹𝗲𝗺𝗲𝗻𝘁 𝗦𝘁𝗿𝗼𝗻𝗴 𝗔𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗮𝗻𝗱 𝗔𝘂𝘁𝗵𝗼𝗿𝗶𝘇𝗮𝘁𝗶𝗼𝗻: Make sure only authorized users can access your APIs. Use strong authentication methods, such as OAuth or OpenID Connect, and grant users the least privilege necessary to perform their tasks. 2. 𝗨𝘀𝗲 𝗛𝗧𝗧𝗣𝗦 𝗘𝗻𝗰𝗿𝘆𝗽𝘁𝗶𝗼𝗻: Encrypt all traffic between your APIs and clients to protect sensitive data from being intercepted by attackers. 3. 𝗟𝗶𝗺𝗶𝘁 𝗗𝗮𝘁𝗮 𝗦𝗵𝗮𝗿𝗶𝗻𝗴: APIs should only expose the data that clients need to function. Avoid exposing sensitive data, such as personally identifiable information (PII). 4. 𝗦𝘁𝗼𝗿𝗲 𝗣𝗮𝘀𝘀𝘄𝗼𝗿𝗱𝘀 𝗦𝗲𝗰𝘂𝗿𝗲𝗹𝘆: Hash passwords before storing them in a database. This will help to prevent attackers from stealing passwords if they breach your database. 5. 𝗨𝘀𝗲 𝘁𝗵𝗲 '𝗟𝗲𝗮𝘀𝘁 𝗣𝗿𝗶𝘃𝗶𝗹𝗲𝗴𝗲' 𝗣𝗿𝗶𝗻𝗰𝗶𝗽𝗹𝗲: Give users and applications only the permissions they need to perform their tasks. This will help to minimize the damage if an attacker gains access to an API. 6. 𝗥𝗲𝗴𝘂𝗹𝗮𝗿 𝗨𝗽𝗱𝗮𝘁𝗲𝘀: Keep your API software up to date with the latest security patches. 7. 𝗗𝗶𝘀𝗮𝗯𝗹𝗲 𝗗𝗲𝗳𝗮𝘂𝗹𝘁 𝗘𝗿𝗿𝗼𝗿𝘀: Default error messages can sometimes reveal sensitive information about your API. Configure your API to return generic error messages instead. 8. 𝗦𝗲𝗰𝘂𝗿𝗲 𝗦𝗲𝘀𝘀𝗶𝗼𝗻 𝗠𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁: Use secure methods for managing user sessions, such as using secure cookies with the HttpOnly flag set. 9. 𝗖𝗦𝗥𝗙 𝗧𝗼𝗸𝗲𝗻𝘀: Use CSRF tokens to prevent cross-site request forgery attacks. 10. 𝗦𝗮𝗳𝗲 𝗔𝗣𝗜 𝗗𝗼𝗰𝘂𝗺𝗲𝗻𝘁𝗮𝘁𝗶𝗼𝗻: Your API documentation should not contain any sensitive information. 11. 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗧𝗲𝘀𝘁𝗶𝗻𝗴: Regularly conduct security testing of your APIs to identify and fix vulnerabilities. 12. 𝗧𝗼𝗸𝗲𝗻 𝗘𝘅𝗽𝗶𝗿𝗮𝘁𝗶𝗼𝗻: Implement token expiration to prevent attackers from using stolen tokens for extended periods. 13. 𝗦𝗲𝗰𝘂𝗿𝗲 𝗗𝗮𝘁𝗮 𝗩𝗮𝗹𝗶𝗱𝗮𝘁𝗶𝗼𝗻: Validate all user input to prevent injection attacks. 14. 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗛𝗲𝗮𝗱𝗲𝗿𝘀: Use security headers to protect your API from common attacks, such as XSS and clickjacking. 15. 𝗖𝗢𝗥𝗦 𝗖𝗼𝗻𝗳𝗶𝗴𝘂𝗿𝗮𝘁𝗶𝗼𝗻: Configure Cross-Origin Resource Sharing (CORS) to restrict access to your API from unauthorized origins. 16. 𝗧𝗵𝗿𝗼𝘁𝘁𝗹𝗲 𝗟𝗼𝗴𝗶𝗻 𝗔𝘁𝘁𝗲𝗺𝗽𝘁𝘀: Throttle login attempts to prevent brute-force attacks. 17. 𝗔𝗣𝗜 𝗩𝗲𝗿𝘀𝗶𝗼𝗻𝗶𝗻𝗴: Use API versioning to allow you to make changes to your API without breaking existing clients. 18. 𝗗𝗮𝘁𝗮 𝗘𝗻𝗰𝗿𝘆𝗽𝘁𝗶𝗼𝗻: Encrypt data at rest and in transit to protect it from unauthorized access. 19. 𝗟𝗼𝗴𝗴𝗶𝗻𝗴 𝗮𝗻𝗱 𝗔𝘂𝗱𝗶𝘁𝗶𝗻𝗴: Log all API access and activity to help you detect and investigate security incidents. 20. 𝗥𝗮𝘁𝗲 𝗟𝗶𝗺𝗶𝘁𝗶𝗻𝗴: Implement rate limiting to prevent API abuse and overload.

Most organizations treat data governance like a compliance project. It's not. It's the operating framework that makes everything else work. Here's how data becomes trusted, usable, and scalable: DATA FOUNDATION This is where it starts. Not with dashboards or AI models. → Master data that's shared and neutral → Transaction data you can trace → Source systems you can rely on → Data products that deliver value → Event and IoT data that's structured Make data understandable and reliable. DATA MANAGEMENT The layer most organizations confuse with governance. → Data quality monitoring → Metadata management → Lineage tracking → Cataloging This operationalizes the rules. But it doesn't set them. DECISION AUTHORITY This is governance. The layer everyone skips. → Metric ownership assigned → Definition rights clarified → Change authority established → Escalation paths defined This is what scales. Not the catalog. Decision clarity. ANALYTICS & AI Built on governed decisions. → Dashboards and reporting that people trust → Advanced analytics that stay accurate → RAG and GenAI that don't drift → AI models and agents that scale BUSINESS OUTCOMES → Trusted metrics → Faster decisions → Scalable analytics → Safe AI adoption The framework connects to: → Technical enablement (cloud, platforms, APIs, security) → Operating model (roles, governance cadence, stewardship) → Risk and control (regulatory compliance, auditability, ethics) Here is how I see it: If ownership is unclear, nothing above scales. You can build the best data platform in the world. The cleanest pipelines. The most advanced AI. But without clear ownership and decision authority, it all breaks when someone asks "who approved this definition?" Start with the foundation. Build the governance layer. Then scale. Not the other way around.

🚨CISA & NSA release Crucial Guide on Network Segmentation and Encryption in Cloud Environments🚨 In response to the evolving requirements of cloud security, the Cybersecurity & Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a comprehensive Cybersecurity Information Sheet (CSI): "Implement Network Segmentation and Encryption in Cloud Environments." This document provides detailed recommendations to enhance the security posture of organizations operating within cloud infrastructures (that probably means you). Key Takeaways Include: 🔐 Network Encryption: The document underscores the importance of encrypting data in transit as a defense mechanism against unauthorized data access. 🌐 Secure Client Connections: Establishing secure connections to cloud services is fundamental. 🔎 Caution on Traffic Mirroring: While recognizing the benefits of traffic mirroring for network analysis and threat detection, the guidance cautions against potential misuse that could lead to data exfiltration and advises careful monitoring of this feature. 🛡️ Network Segmentation: Stressed as a foundational security principle, network segmentation is recommended to isolate and contain malicious activities, thereby reducing the impact of any breach. This collaboration between NSA and CISA provides actionable recommendations for organizations to strengthen their cloud security practices. The emphasis is on strategically implementing network segmentation and end-to-end encryption to secure cloud environments effectively. Information security leaders are encouraged to review this guidance to understand better the measures necessary to protect cloud-based assets. Implementing these recommendations will contribute to a more secure, resilient, and compliant cloud infrastructure. Access the complete guidance provided by the NSA and CISA to fully understand these recommendations and their application to your organization’s cloud security strategy. 📚 Read CISA & NSA's complete guidance here: https://lnkd.in/eeVXqMSv #cloudcomputing #technology #informationsecurity #innovation #cybersecurity

If you’re new to Security Engineering, you’re likely: – relying on “default” cloud configs – skipping threat modeling and risk reviews – ignoring logging, audit trails, or alert fatigue – underestimating insider threats and privilege creep – forgetting to patch dependencies and container images Follow this simple 27-rule Security Engineering Checklist to protect your org and avoid rookie mistakes. 1. Never deploy to prod without a full security review and automated vulnerability scan. 2. Patch everything, OS, dependencies, containers, on a regular schedule, not just when an incident hits. 3. Rotate all secrets and keys regularly, and store them in a dedicated secrets manager. 4. Enforce strong, unique passwords everywhere. Disable password reuse. 5. Require Multi-Factor Authentication (MFA) for all privileged and production accounts. 6. Limit permissions by default: start with zero trust, use least privilege everywhere. 7. Set up Role-Based Access Control (RBAC) and review roles/permissions every quarter. 8. Segment networks, no flat internal networks. Isolate prod, staging, and dev completely. 9. Encrypt data everywhere: at rest, in transit, and (where possible) in use. 10. Enable detailed audit logging on all critical systems, APIs, and cloud resources. 11. Review audit logs regularly, don’t just store them, analyse for anomalies. 12. Use Infrastructure as Code (IaC) to standardise, version, and review every config change. 13. Scan all Infrastructure as Code and container images for security misconfigurations and vulnerabilities. 14. Run regular external and internal penetration tests, don’t trust just compliance scans. 15. Threat model every major new system or feature before shipping to production. 16. Validate and sanitise all user inputs, never trust client-side validation alone. 17. Protect public endpoints with WAFs, API gateways, and rate limiters. 18. Require code reviews for all security-sensitive code paths. 19. Never expose internal services directly to the internet, use proxies, firewalls, and allowlists. 20. Monitor for unusual authentication, privilege escalations, and lateral movement. 21. Use endpoint protection and EDR (Endpoint Detection & Response) on all corporate devices. 22. Run simulated phishing campaigns and red team exercises, not just annual security training. 23. Automate alerting for critical events, disable noisy, low-signal alerts to avoid alert fatigue. 24. Enforce secure backups, encrypt, store offsite, and regularly test restore. 25. Require explicit approval and justification for opening firewall ports or changing access. 26. Document every system’s security controls, incident history, and responsible owner. 27. Never treat security as “done”, review, improve, and iterate after every incident and audit. --- Found this useful? Repost it. Follow saed ‎for more & subscribe to the newsletter: https://lnkd.in/eD7hgbnk I am now on Instagram: instagram.com/saedctl say hello 👋

This EY incident underscores a truth we often overlook: the most common cloud vulnerability isn't a zero-day exploit; it's a configuration oversight. A single misstep in cloud storage permissions turned a database backup into a public-facing risk. These files often hold the "keys to the kingdom" ie. credentials, API keys, and tokens that can lead to a much wider breach. How do we protect ourselves against these costly mistakes? Suggestions 1. Continuous Monitoring: Implement a CSPM for 24/7 configuration scanning. CSPM is Cloud Security Posture Management -> a type of automated security tool that continuously monitors cloud environments for misconfigurations, vulnerabilities, and compliance violations. It provides visibility, threat detection, and remediation workflows across multi-cloud and hybrid cloud setups, including SaaS, PaaS, and IaaS services 2. Least Privilege Access: Default to private. Grant access sparingly. 3. Data Encryption: For data at rest and in transit. 4. Automated Alerts: The moment something becomes public, you should know. 5. Regular Audits: Regularly review access controls and rotate secrets.

𝗙𝗶𝘅 𝘁𝗿𝘂𝘀𝘁 𝗳𝗶𝗿𝘀𝘁, 𝗻𝗼𝘁 𝗱𝗮𝘀𝗵𝗯𝗼𝗮𝗿𝗱𝘀. 𝗧𝗵𝗮𝘁’𝘀 𝗵𝗼𝘄 𝘆𝗼𝘂 𝗺𝗮𝗸𝗲 𝗱𝗮𝘁𝗮 𝘄𝗼𝗿𝗸 𝗳𝗼𝗿 𝗲𝘃𝗲𝗿𝘆𝗼𝗻𝗲. A new Head of Data walks in. 𝗧𝗵𝗲 𝗳𝗶𝗿𝘀𝘁 𝟵𝟬 𝗱𝗮𝘆𝘀 𝗮𝗿𝗲 𝗮 𝘁𝗲𝘀𝘁. Many start with dashboards, pipelines, and plans. They rebuild what’s broken and expect trust to follow. 𝗕𝘂𝘁, 𝗺𝗼𝘀𝘁 𝗳𝗮𝗶𝗹. They forget that trust, not tools, is the real foundation. You can fix every schema and still have leaders asking, “Why are we still in this mess?” 𝗛𝗲𝗿𝗲’𝘀 𝘄𝗵𝗮𝘁 𝘄𝗼𝗿𝗸𝘀: 𝗣𝗵𝗮𝘀𝗲 𝟭: 𝗗𝗶𝗮𝗴𝗻𝗼𝘀𝗲, 𝗗𝗼𝗻’𝘁 𝗗𝗲𝗹𝗶𝘃𝗲𝗿. Meet every key person. Ask what data they trust. Listen to real pain, not just reports. Find your “data superusers.” See where data dies before it reaches the decision. 𝗣𝗵𝗮𝘀𝗲 𝟮: 𝗔𝗹𝗶𝗴𝗻 𝗮𝗻𝗱 𝗗𝗲𝘀𝗶𝗴𝗻. Prioritize quick wins. Rank by impact, complexity, reach, and risk. Set clear ownership for metrics. Share updates every week. 𝗣𝗵𝗮𝘀𝗲 𝟯: 𝗗𝗲𝗹𝗶𝘃𝗲𝗿 𝗣𝗿𝗼𝗼𝗳, 𝗡𝗼𝘁 𝗣𝗿𝗼𝗺𝗶𝘀𝗲𝘀. Pick the highest priority. Deliver one visible win in 30-45 days. Align on definitions so everyone speaks the same language. Over communicate wins and issues. 𝗔𝘃𝗼𝗶𝗱 𝘁𝗵𝗲𝘀𝗲 𝘁𝗿𝗮𝗽𝘀: • Don’t rush to buy new tools. • Don’t rebuild dashboards before fixing trust. • Don’t promise AI if you have ten definitions of revenue. The first 90 days decide if data drives growth or stays a reporting chore. 𝗜𝗳 𝘆𝗼𝘂𝗿 𝗖𝗙𝗢 𝘀𝘁𝗶𝗹𝗹 𝗱𝗼𝗲𝘀𝗻’𝘁 𝗯𝗲𝗹𝗶𝗲𝘃𝗲 𝘁𝗵𝗲 𝗻𝘂𝗺𝗯𝗲𝗿𝘀 𝗯𝘆 𝗗𝗮𝘆 𝟵𝟬, 𝗻𝗼𝘁𝗵𝗶𝗻𝗴 𝗲𝗹𝘀𝗲 𝗺𝗮𝘁𝘁𝗲𝗿𝘀. Trust comes first. Visible wins come next. 𝗧𝗵𝗮𝘁’𝘀 𝗵𝗼𝘄 𝘆𝗼𝘂 𝘀𝘁𝗼𝗽 𝗯𝗲𝗶𝗻𝗴 “𝘁𝗵𝗲 𝗱𝗮𝘁𝗮 𝗽𝗲𝗿𝘀𝗼𝗻” 𝗮𝗻𝗱 𝗯𝗲𝗰𝗼𝗺𝗲 𝘁𝗵𝗲 𝗽𝗲𝗿𝘀𝗼𝗻 𝘄𝗵𝗼 𝗺𝗮𝗸𝗲𝘀 𝗱𝗮𝘁𝗮 𝘄𝗼𝗿𝗸. 𝗛𝗼𝘄 𝗮𝗿𝗲 𝘆𝗼𝘂 𝗯𝘂𝗶𝗹𝗱𝗶𝗻𝗴 𝘁𝗿𝘂𝘀𝘁 𝗶𝗻 𝘆𝗼𝘂𝗿 𝗱𝗮𝘁𝗮 𝘁𝗲𝗮𝗺𝘀?

Your dashboards can be 100% green. And still completely wrong. That’s the scary part about data quality problems: they spread quietly before anyone notices. A reliable pipeline doesn’t just move data. It verifies trust at every stage. The checks that matter most: • null & duplicate validation • primary key checks • referential integrity • schema evolution detection • freshness monitoring • range & outlier checks • distribution drift tracking And one lesson engineers learn late: Schema evolution is not “just metadata.” A tiny structural change can break: • joins • aggregations • ML features • dashboards • historical consistency If you want stronger systems: • validate schemas before deploys • monitor row-count anomalies • compare distributions over time • treat data contracts seriously • build observability into pipelines early Because pipelines usually fail long before they crash. The best engineers catch the signal before the incident. Here’s are some amazing frameworks to include in your data projects: → Great Expectations : Write tests for your data like you test code. → Deequ: Amazon's gift to data quality. Scales beautifully. → Monte Carlo : Observability for data pipelines. Sleep better. → dbt Labs tests: Test your transformations. Trust your models. Quality isn't a one-time project. It's a daily practice. Image Credits: Sumit Gupta What’s one silent data issue your team learned the hard way? #data #engineering

Using unverified container images, over-permissioning service accounts, postponing network policy implementation, skipping regular image scans and running everything on default namespaces…. What do all these have in common ? Bad cybersecurity practices! It’s best to always do this instead; 1. Only use verified images, and scan them for vulnerabilities before deploying them in a Kubernetes cluster. 2. Assign the least amount of privilege required. Use tools like Open Policy Agent (OPA) and Kubernetes' native RBAC policies to define and enforce strict access controls. Avoid using the cluster-admin role unless absolutely necessary. 3. Network Policies should be implemented from the start to limit which pods can communicate with one another. This can prevent unauthorized access and reduce the impact of a potential breach. 4. Automate regular image scanning using tools integrated into the CI/CD pipeline to ensure that images are always up-to-date and free of known vulnerabilities before being deployed. 5. Always organize workloads into namespaces based on their function, environment (e.g., dev, staging, production), or team ownership. This helps in managing resources, applying security policies, and isolating workloads effectively. PS: If necessary, you can ask me in the comment section specific questions on why these bad practices are a problem. #cybersecurity #informationsecurity #softwareengineering

A few months ago, we found a malicious AWS CloudFormation template trying to breach a customer's AWS account. It was disguised as “AWS Support for Fargate” Here’s what it’s really up to: 1. Grants itself administrator-level permissions via a fake support IAM role 2. Deploys a lambda function (in-line) to exfiltrate role ARN to an external API Gateway endpoint 3. Invoke itself using AWS CloudFormation CustomResource 📘 Blue team tips - Always review the IAM roles, policies, and external calls in any template. - Use the IAM Access Analyzer to verify external trust relationships - Don’t blindly trust anything labeled “AWS Support” — verify it first! - Report to AWS Security teams ASAP 📕 Red team tips - The malicious actor is identified by the AWS account ID in the AssumeRole policy. - Consider flooding the API endpoint with randomly generated payloads using fake IAM role ARNs.

2024 State of Cloud Security Study Key Insights A great morning read from Datadog ‘analyzed security posture data from a sample of thousands of organizations that use AWS, Azure, or Google Cloud.’ ↗️ Long-lived credentials -> remain a security risk, with 60% of AWS IAM users having access keys older than one year. Unused credentials are widespread, increasing attack surfaces across all cloud providers (AWS, Azure, GCP). Recommendation -> Shift to temporary, time-bound credentials & centralized identity management solutions. ↗️ Public access blocks on cloud storage increasing AWS S3 & Azure Blob Storage are increasingly using public access blocks, with S3 seeing 79% of buckets proactively secured. Recommendation -> Enable account-level public access blocks to minimize risks of accidental data exposure. ↗️ IMDSv2 adoption growing AWS EC2 instances enforcing IMDSv2 have grown from 25% to 47%, yet many instances remain vulnerable. Recommendation -> Enforce IMDSv2 across all EC2 instances & use regional settings for secure defaults. ↗️ Managed Kubernetes clusters Many clusters (almost 50% on AWS) expose APIs publicly, with insecure default configurations risking attacks. Recommendation -> Use private networks, enforce audit logs, & limit permissions on Kubernetes worker nodes. ↗️ 3rd-Party integrations pose supply chain risk 10% of third-party IAM roles are overprivileged, creating risks of AWS account takeover. Recommendation ->Limit permissions, enforce External IDs, & remove unused third-party roles. ↗️ Most cloud incidents caused by compromised cloud credentials Cloud incidents are often triggered by compromised credentials, particularly in AWS, Azure, & Entra ID environments. Patterns of Attack + Compromised identities + Escalation via GetFederationToken + Service enumeration + Reselling access + Persistence techniques Microsoft 365 -> Credential stuffing, bypassing MFA, & malicious OAuth apps for email exfiltration. Google Cloud -> Attackers leverage VPNs & proxies for crypto mining and follow common attack patterns. Recommendations -> Implement strong identity controls & monitor API changes that attackers may exploit. ↗️ Many cloud workloads are excessively privileged or run in risky configurations Overprivileged cloud workloads expose organizations to significant risks, including full account compromise & data breaches. Recommendation ->Enforce least privilege principles on all workloads. Use non-default service accounts with tailored permissions in Google Cloud. Avoid running production workloads in AWS Organization management accounts. The study shows improved adoption of secure cloud configurations -> better awareness + enforcement of secure defaults. However, risky credentials & common misconfigurations in cloud infrastructure remain significant entry points for attackers. P.s. use the info to strengthen your org cloud security posture. Full study report in the comment ⬇️ #cloudsecurity #cloudsec #cybersecurity