Cloud Security
In-depth guides and analysis on cloud security from the Safeguard engineering team.
237 articles
Managing and securing GCP service account keys
A practical, step-by-step guide to GCP service account key security: disable key creation, adopt impersonation, rotate remaining keys, and monitor for misuse.
What Software Delivery Shield does for end-to-end supply ...
A breakdown of what Google Cloud's Software Delivery Shield actually does — SLSA provenance, SBOM generation, Binary Authorization — and where its coverage gaps still leave supply chains exposed.
Best practices for managing encryption keys with Google C...
A step-by-step guide to Cloud KMS best practices: key hierarchy, IAM scoping, envelope encryption, automated rotation, HSM protection levels, and audit logging.
Using GCP organization policy constraints to enforce secu...
GCP organization policy security constraints turn security intent into enforceable guardrails across your resource hierarchy, closing gaps IAM alone cannot.
Using VPC Service Controls to prevent secret exfiltration...
VPC Service Controls create a hard perimeter around Secret Manager, blocking exfiltration even when credentials are compromised or IAM is misconfigured.
Designing least-privilege IAM policies in Oracle Cloud In...
How to design least-privilege OCI IAM policies: dynamic groups, compartment scoping, and the audit habits that keep permissions from silently sprawling.
Comparing AWS Secrets Manager, Azure Key Vault, and GCP S...
A practical, no-hype comparison of AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, HashiCorp Vault, and Doppler — plus how to actually evaluate one.
Comparing confidential VM offerings across major cloud pr...
A practical comparison of confidential virtual machines across Azure, AWS Nitro Enclaves, GCP confidential compute, and more -- real strengths, real limitations, no marketing gloss.
Cloudflare November 18 2025 Outage: A Bot Management Feature File Doubled in Size
A ClickHouse permissions change caused Cloudflare's Bot Management feature file to balloon past a hard-coded proxy limit, taking the core network down for two hours and ten minutes.
Best cloud workload protection platforms (CWPP)
An honest, no-hype comparison of leading cloud workload protection platforms — evaluation criteria, real vendor tradeoffs, and where supply chain security fits in.
Terraform AWS provider misconfiguration trends
Terraform's AWS misconfiguration trends in 2026: how provider v4.0 migration gaps, wildcard IAM policies, and state drift keep exposing production infrastructure.
Kubernetes ingress controller vulnerability roundup
Ingress-nginx, Apache APISIX, and other Kubernetes ingress controllers have racked up critical CVEs since 2021 — here's what actually happened.