Cloud Security
In-depth guides and analysis on cloud security from the Safeguard engineering team.
237 articles
Azure ACR Image Signing with Notation Policy
Azure Container Registry plus Notation gives you signing, trust policy, and AKS enforcement without bolting on Sigstore. Here is how the pieces actually fit together.
How to set up AWS Organizations Service Control Policies
A practical, command-by-command guide to AWS Organizations SCP setup — from enabling policy types to real guardrail examples, rollout, and troubleshooting.
How to implement least privilege for GCP service accounts
A step-by-step guide to auditing, scoping, and enforcing least privilege service accounts GCP-wide — including key rotation and IAM audit workflows.
How to set up cloud security posture management (CSPM)
A practical, step-by-step guide to setting up cloud security posture management: inventory, tool selection, policy tuning, alerting, remediation, and verification.
How to configure network ACLs in AWS VPC
A step-by-step guide to configure AWS NACLs correctly — creating rules, associating subnets, and verifying traffic — for real defense-in-depth in your VPC.
AWS ECR Signing Policies with Notation
ECR now supports Notation-based image signing and trust policy enforcement. Here is how to design signing policies that survive scale and auditors.
IBM Cloud Code Engine: A Supply Chain Defender's Walkthrough
Code Engine abstracts away Kubernetes for Knative-style serverless workloads on IBM Cloud. The supply chain story is different from what most defenders bring from AWS or GCP.
Wiz vs Prisma Cloud in 2026
Two CNAPPs at the top of every shortlist, and they are not interchangeable. A detailed look at agentless coverage, runtime depth, pricing pressure, and deployment realities.
GCP Cloud Build + Workload Identity Federation
Workload Identity Federation is the right way to give Cloud Build and external CI access to GCP. Here is the architecture, the traps, and the rollout plan.
What is Runtime Protection
Runtime protection catches what pre-deployment scanning can't — live attacks like the XZ Utils backdoor and Log4Shell exploitation, detected only in production.
What is Drift Detection
Drift detection catches unauthorized config changes in real time. See how it works, why it fails in most orgs, and real breaches it could have stopped.
What is Posture Management
Security posture management explained: what it covers, how it differs from vulnerability management, and why misconfiguration still drives most cloud breaches.