Safeguard
Topic

Infrastructure Security

In-depth guides and analysis on infrastructure security from the Safeguard engineering team.

52 articles

Infrastructure Security

Applying CIS Benchmarks to cloud infrastructure

CIS Benchmarks turn "be secure" into testable checks for AWS, Azure, and GCP — here's how to move from annual audit to continuous enforcement.

Jun 16, 20268 min read
Infrastructure Security

Applying least privilege IAM in cloud-native environments

Least privilege IAM fails in practice because permissions are granted for convenience and rarely revoked. Here's how to fix that at cloud scale.

Jun 15, 20267 min read
Infrastructure Security

Securing managed Kubernetes clusters with IaC scanning

IaC scanning catches Kubernetes RBAC, network, and IAM misconfigurations in Terraform and Helm before they ever reach EKS, GKE, or AKS clusters.

Jun 15, 20267 min read
Infrastructure Security

Comparing Terraform security scanners: Snyk IaC, Checkov, tfsec

Snyk IaC, Checkov, and tfsec take different approaches to Terraform scanning — and one of them stopped getting new checks in 2023. Here's how they actually compare.

Jun 15, 20268 min read
Infrastructure Security

The cost of cloud misconfiguration breaches

New breach-cost data shows cloud misconfigurations now cost millions per incident and take months to detect — here's what's driving the trend and how to close the gap.

Jun 15, 20268 min read
Infrastructure Security

When the Cloud Pulls the Plug: The GCP Account Suspension That Took Railway Down (May 19, 2026)

On May 19, 2026, Google Cloud automatically suspended Railway's production account, taking down a platform fronting roughly 10 million services for about eight hours. The root cause was not a breach but a control-plane dependency and a provider action with no human in the loop.

May 21, 202613 min read
Infrastructure Security

When DNSSEC Goes Wrong: The .de TLD Signing Failure That Took Down German Domains (May 5, 2026)

On May 5, 2026, DENIC published unvalidatable DNSSEC signatures for the .de zone after a deployment defect made its signer generate three key pairs instead of one. Validating resolvers worldwide, including Cloudflare's 1.1.1.1, were forced to return SERVFAIL.

May 7, 202613 min read
Infrastructure Security

Iran-Linked Actors Are Disrupting U.S. Water and Energy PLCs: Inside CISA/FBI Advisory AA26-097A (2026)

A joint FBI, CISA, NSA, EPA, DOE and Cyber Command advisory (AA26-097A, April 2026) warns that Iranian-affiliated actors are now causing operational disruption to internet-exposed PLCs across U.S. water, energy, and government facilities. Through May 2026 it is the defining OT threat. We unpack the campaign and the defense.

May 6, 202612 min read
Infrastructure Security

Snyk and HashiCorp Terraform Cloud partnership

Snyk's HashiCorp Terraform Cloud integration gates IaC risk at plan time — here's what it covers, what it misses, and how reachability closes the gap.

Apr 23, 20266 min read
Infrastructure Security

What is Infrastructure as Code (IaC)

IaC turns infrastructure into versioned code, but one bad Terraform default can replicate a security hole across every environment it touches.

Mar 13, 20267 min read
Infrastructure Security

What is IaC Security

IaC security scans Terraform, CloudFormation, and Kubernetes code before deployment—catching misconfigurations before they become breaches.

Mar 12, 20267 min read
Infrastructure Security

What is Terraform Security

Terraform security means finding and fixing risks in IaC code, state files, and providers before they become live cloud misconfigurations.

Mar 12, 20266 min read
Infrastructure Security (Page 2) — Supply Chain Security Blog | Safeguard