Top of Page

Cloud Security INSIGHTS Newsletter Archive

Our bi-monthly e-newsletter Cloud Security INSIGHTS, delivers timely, must-read original articles for the professional development of infosecurity practitioners focused on cloud security. You can view the most current issue here.


    March INSIGHTS

    Cyberwar: Is the Cloud the Target, the Battlefield, or Both?

    The US wants big tech to help defend cyberspace from nation state actors and cybercriminals. Does that mean the cloud is now the frontline? Joe Fay investigates. Read More

    January INSIGHTS

    Cloud cybersecurity: is AI friend or foe?

    AI is predicted to change cybersecurity forever. In this complex new era, defenders will not only have to protect networks and devices against attack but ensure the deeper integrity of the AI systems themselves. John Dunne takes a closer look. Read More


    November INSIGHTS

    Top Cloud Security Challenges This Year – And How to Avoid Them in 2023

    There are no indications of settling in the tech environment as the global health crisis wanes; cloud security threats continue to evolve as cloud services expand. Organizations that aggressively ramp up their defensive strategies and reinforce their security mindset will gain an edge, but it may not be clear how to accomplish those goals efficiently. Read More

    September INSIGHTS

    Tips and Tools to Conduct Amazon Web Services Penetration Tests

    Amazon Web Services (AWS) grew 36.5% year over year in Q1 2022, according to business news outlet CNBC. With more than a million active users spread across 190 countries and a service portfolio offering 200 unique products, AWS is a market powerhouse in the cloud hosting space. That also makes it a prime target for attackers and advanced persistent threats. Read More


    The Future of Open-Source Software in Cloud-Native Environments

    The decision between choosing open source versus proprietary software to build a cloud-native environment is driven by risks and rewards. It should also be based on team size, time investments and available budget.

    “Perceptions of open-source software (OSS) are evolving, and what was once seen as potential risk is now seen as an enabler for both security and business,” said Paul Calatayud, CISO, Aqua Security. “The pros of open source are that the community is a strong and collaborative one, and it puts an emphasis on security by working together to identify and resolve software vulnerabilities and bugs.” Read More


    Looking for a Break in the Clouds: How to Build More Resilience During Turbulent Times

    Business continuity (BC) and disaster recovery (DR) requirements have changed with the advent of cloud services, leading many organizations to reassess their programs. This presents an opportunity, suggested Wolfgang Goerlich, an advisory CISO at Cisco’s Duo Security. “It’s great to do the thing,” he said, referring to cloud continuity planning, “but what if we could do the thing and get more out of it?” Read More

    March INSIGHTS

    Privacy in a Fishbowl: iCloud controversy raises concerns about potential misuses

    Particularly in the United States, privacy has too few protections, and it continues to erode.

    That reality is abetted by Americans’ casual surrender of control over how their personal data is used.

    Sloane Burwell, senior compliance analyst at Hacker One, makes the distinction that, “If I put my business card in some glass bowl to win a month’s worth of Starbucks, I know that when I do that, my information is going to be shared 50 times. In Europe, they’re absolutely shocked and appalled.” Read More

    January INSIGHTS

    How to Help Developers Work Fast and Stay Secure in Cloud-Native Environments

    The technological world in which we live and work continues to accelerate, in no small part due to growing global adoption of cloud environments to store, process and secure the data and applications that we now consume. That faster pace may foster innovation and improvements and help a solution get to market sooner, but it isn’t without negative consequences. For one, mistakes around workload misconfigurations remain a problem. Then there are shifting roles between cybersecurity professionals and developers, the latter of whom can now select cloud-native security tooling that may—or may not—satisfy an organization’s security operations team. Read More


    November INSIGHTS

    Lessons learned from enterprise cloud security programs

    The cloud computing model is maturing, moving from the experiments of early adopters to a mainstream computing platform underpinning established enterprises. With hundreds of existing services, a constant barrage of new announcements every year and a shortage of skilled practitioners, taming the beast of cloud security with traditional methods can seem overwhelming. In this article, we look at best practices and lessons learned based on my personal experience working on cloud security in Fortune 500 enterprises for more than a decade. Read More

    September INSIGHTS

    What Your CISO and/or SOC Shouldn’t Miss in Evaluating a Cloud Service Provider

    Since the advent of cloud computing, enterprises have struggled with choosing the best cloud service provider based on their unique needs. Common use cases include low cost, security, interoperability, big data analytics, storage, VDI, etc. On the flip side, major cloud service providers (Amazon Web Services, Microsoft Azure, Google Cloud, Alibaba Cloud, IBM Cloud or Oracle Cloud) have been working tirelessly to entice customers into consuming their services. Read More


    What Lurks Beyond Leaky Storage Buckets and Reduced Visibility

    In 2020, a large SaaS provider with hundreds of thousands of users asked Palo Alto Networks to run a red team exercise against the customer’s cloud infrastructure. Though the cybersecurity company normally doesn’t conduct pen tests, it accepted the challenge. Read More


    Difficulties Remain with Fixing Cloud Misconfigurations

    Despite recent years’ acceleration into cloud-native environments—or perhaps because of it—remediations for cloud misconfigurations are still measured in weeks and months, not days, on average. This lag also comes at a time when watering hole attacks like the one tied to SolarWinds are coming for the cloud, according to a study released earlier this year. Read More

    March INSIGHTS

    What to Do About Multi-Cloud Audit Log Overload

    In an interview with Expel Chief Technology Officer Peter Silberman, we explore one of the biggest issues cybersecurity professionals must overcome in 2021: data overload due to logs generated by multiple cloud platforms.

    Most of us are familiar with data sprawl generated by cloud services, but not data overload. Can you discuss how this came to be such a big problem? And just how big of a problem is it now? Read More

    January INSIGHTS

    From the Front Lines: Securing a Cloud-Native Company

    Eric Gauthier, CISSP, had a traditional IT background that included running data centers and security when he landed at a company that tasked him with building a screening program for a cloud-native, serverless infrastructure.

    What Gauthier learned from his early challenges were outlined in an (ISC)² Security Congress presentation to help others establish similar secure environments without compromising on security. Read More


    November INSIGHTS

    Practical Advice to Harden Multi-Cloud Environments

    By Paul South

    Jeremy Snyder traveled the globe for several years learning how companies large and small secured their multi-cloud environments. The result of this international listening tour? A list of 10 recommendations for how to improve your multi-cloud security posture—a goal that’s now more important than ever with the shift to remote work and bad actors seeking novel ways to infiltrate public, private and hybrid cloud infrastructures accessed from so many more entry points. Read More

    September INSIGHTS

    The Evolution of Vulnerability Management on Cloud Endpoints

    By Oscar Monge España, CISSP, CCSP

    One of the most common challenges when securing the cloud is not having full visibility of all resources deployed. This exponentially increases the exposure factor, which could lead to a possible breach.

    Six to eight years ago, when organizations started moving to the cloud, the main goal was a smooth transition in order to quickly reap the benefits of cloud to deploy workloads and reduce capital expenditures. Security came later. Read More


    Is It Time to Buy into Cloud Security Posture Management?

    By Anne Saita

    Mistakes happen. When it comes to cloud services, it’s important to know who is responsible when a mistake causes financial and reputational damage. With so many “shared responsibility models” currently being rewritten, now is an opportune time to consider the liabilities from cloud misconfigurations and technical solutions to help minimize them. Read More


    Survey: Security Lags as Cloud Use Rapidly Grows More Complex

    By Shawna McAlearney

    Offering flexibility, convenience and speed to drive business initiatives, the cloud continues to present unrivaled opportunities for innovation—if it can be properly secured. Unfortunately, security efforts are still coming up short in many environments.

    “Between the use of multiple cloud platforms and heterogeneous security solutions, to the lack of qualified personnel needed to implement and manage them, enterprises find themselves compromising security to achieve their business objectives,” according to FireMon’s The 2020 State of Hybrid Cloud Security survey of 522 IT and security professionals. Read More

    March INSIGHTS

    Building a Hardened Container Infrastructure—In and Outside of the Cloud

    By Matt Gillespie

    Bank vaults, mainframes and mountain fortresses are desirable for their lack of subtlety. Protection of their contents is ensured by sheer heft, so proprietors can focus elsewhere.

    That calculus changes when low overhead is paramount. For instance, Linux containers epitomize lightweight, ephemeral infrastructure. And workloads that by design exist with only fleeting ties to physical systems must rely elsewhere for protection. Read More

    January INSIGHTS

    Bringing PKI to the Cloud May Be Easier than You Think—And Already Happening

    Most cybersecurity professionals are familiar with public key infrastructure (PKI) as it relates to creating and managing digital identities for people, platforms and devices across an enterprise. That increasingly includes building or outsourcing PKI within the cloud.

    “We have always consumed PKI in the cloud, we just haven’t called it that because we have gone out and bought SSL certs that are publicly-rooted from the vendors,” explained Chris Hickman, the chief security officer for PKI-as-a-service provider Keyfactor, during an (ISC)2 roundtable discussion. “If we look at the history of certificates and how they were used, one could easily argue that PKI was actually one of the first applications in the cloud, by virtue of needing a certificate to protect my e-commerce website or my website. In general, that was what I did: I went out and bought a cert. That cert was from somebody who was providing PKI in the cloud. It is actually not a new concept.” Read More


    November INSIGHTS

    In Cloud We Trust (Mostly), According to New Survey

    By Deborah Johnson

    Since organizations began digital transformations en masse, a perennial question has been: Is data safer in the cloud or on-premises? A new survey shed some insight on how both are currently perceived by cybersecurity executives.

    To measure the use of cloud services—now a $325 billion global market—and the level of trust in them, Nominet Cyber Solutions queried 274 C-level and other high-ranking cybersecurity professionals in the United States and United Kingdom. Read More

    September INSIGHTS

    Minimizing Exposures Associated with Free Cloud Services

    By Matt Gillespie

    Free and low-cost public cloud services such as email and storage drops have democratized IT disruption. One result is an extended attack surface, affecting companies large and small.

    Verizon’s 2019 Data Breach Investigations Report finds that compromised cloud-based email accounts now comprise 60% of web application hacks. Likewise, improper configuration of cloud-based file storage is leading to massive data exposure, accounting for 21% of breaches caused by errors. Read More


    Forecast Looking Good for Cloud Security Solutions

    By Shawna McAlearney

    Organizations are embracing the deployment of mission-critical workloads to the public cloud at an unprecedented rate, driving the global cloud security solutions market to an estimated $12.7 billion by 2023.

    That’s according to Forrester’s Cloud Security Solutions Forecast, 2018 to 2023. The same analysis noted more than half (54%) of global infrastructure decision makers have implemented, or are expanding, their use of the public cloud, up from 25% in 2015. Read More


    Turning to History to Build Trust in the Cloud Era

    By Paul South

    Amin Vahdat, a Google Fellow and technical lead for the company, is a student of history. The internet’s history, to be more precise.

    In the early days of distributed systems, trust was implicit, he recalled. Protocols for routing and the like were not built with an adversarial mindset. Malware, phishing scams and state-sponsored cyber threats were rarely considered (at least publicly). Read More

    March INSIGHTS

    Managing the Potholes and Possibilities During Cloud Migrations

    By Paul South

    Sometimes the journey to the cloud means pedal-to-the-metal driving on a smooth track. Other times, the road is rife with potholes to be avoided. Knowing when to press forth and when to maneuver around a pockmarked path will depend on how each organization selects, deploys and maintains cloud-related services. Read More

    January INSIGHTS

    More Security Coming from Cloud Platform Providers

    By Joyce Flory

    Cloud security has come a long way in the last decade. With cloud service providers building more protections into their platforms, some information security professionals now see cloud security on par with, and possibly better than, on-premises environments. That viewpoint, however, is far from universal. Read More