Cloud Security
In-depth guides and analysis on cloud security from the Safeguard engineering team.
237 articles
Unified identity, segmentation, and policy-as-code for multi-cloud
38% of breaches start with stolen credentials, per Verizon's 2024 DBIR — the fix for multi-cloud estates is unified identity, segmentation, and policy-as-code, not per-provider IAM.
The 2026 AWS Security Checklist: Account, IAM, Network, and Data Controls
One SSRF call against an unpatched WAF and a permissive IAM role were enough to expose 106 million Capital One records in 2019 — here's the checklist that stops it.
The most common AWS misconfigurations in 2026, with detection commands
Public S3 buckets, wildcard IAM policies, and 0.0.0.0/0 security groups remain the top three AWS findings — here's how to detect each with native tools.
Developer empowerment in cloud security: a guardrails-first framework
Gartner estimated through 2025 that 99% of cloud breaches would be the customer's fault, not the provider's — guardrails at the point of action are how you fix that.
Why Cloud Security Outcomes Depend on Developers, Not Gatekeepers
Gartner projected 99% of cloud security failures through 2025 would be the customer's fault — the fix is guardrails developers own, not a central team reviewing after the fact.
Know your cloud environment: a practical asset inventory methodology
Gartner projects that through 2025, 99% of cloud security failures will be the customer's fault — almost always because an asset nobody tracked got misconfigured.
Secure-by-design principles for cloud architecture: prevention over detection
The 2019 Capital One breach hit 700+ S3 buckets through one SSRF call. Secure-by-design architecture stops that path before it exists.
A guide to scanning Terraform IaC for misconfigurations before deployment
tfsec folded into Trivy in February 2023. Sentinel gates plans in Terraform Enterprise. Here's how to catch misconfigured infrastructure before it's ever provisioned.
Connecting build, deploy, and runtime security into one AppSec lifecycle
The XZ Utils backdoor (CVE-2024-3094) was found in the build chain; most tools that would have caught it stop at deploy. Here's how to close that gap.
The most common cloud misconfigurations, and the queries that catch them
Cloud misconfiguration was the initial attack vector in 15% of breaches in IBM's 2024 study — tied with phishing. Here are the six patterns and the queries to find them.
Detecting and remediating Terraform and CloudFormation drift
Terraform's own drift check can return an ambiguous exit code — here's how declared IaC state quietly diverges from live cloud resources, and how to catch it.
Policy as Code: Enforcing Cloud Security Guardrails in CI/CD Instead of Manual Review
OPA reached CNCF Graduated status in January 2021 — yet most teams still catch misconfigured IAM roles by eyeballing a pull request.