A list of architectural and technical recommendations from the Expel team to help reliably and securely deploy, run, and configure a Vault server in Kubernetes.

Blog from Microsoft outlining potential risks that you should be aware of when deploying, configuring, or monitoring your storage environment.

How to attack and audit cloud storage services on Azure.

How Falco can detect and mitigate attacks performed by malware which tries to evade detection.

High level security best practices for every layer of the container stack, from kernel to cluster components.

Some considerations for Kubernetes multi tenancy implementation using Amazon EKS, covering different perspectives around compute, networking, and storage.

This blog post is about an experiment to automate creation of Kubernetes Network Policies based on actual network traffic captured from applications running on a Kubernetes cluster.

With the recent Kubernetes 1.21 release, you will be able to suspend a Job by updating its spec. The Job controller will refrain from creating Pods until you are ready to start the Job, which you can do by setting suspend: false.

Kubernetes version 1.21 released with changes affecting its security, deprecation of PodSecurityPolicies, new features to block Kubernetes vulnerabilities, and more.

AWS recently introduced S3 Object Lambdas. These Lambda functions sit behind an S3 Access Point and can transparently mutate objects as they are retrieved from S3. This post shows how this mechanism can be combined with pre-signed URLs to protect assets, while simplifying application code and improving the user experience.

Terraform 0.15 includes improvements like state file format stability, unified console support, provider-based, sensitivity and sensitive functions, and structured logging levels.

OPAL is an administration layer for Open Policy Agent (OPA), detecting changes to both policy and policy data in realtime and pushing live updates to your agents. As your application state changes (whether it's via your APIs, DBs, git, S3 or 3rd-party SaaS services), OPAL will make sure your services are always in sync with the authorization data and policy they need.

kube-secrets-init is a Kubernetes mutating admission webhook that mutates any Pod that is using specially prefixed environment variables, directly or from Kubernetes as Secret or ConfigMap.

Open Source (Go) implementation of "Zanzibar: Google's Consistent, Global Authorization System". Ships gRPC, REST APIs, newSQL, and an easy and granular permission language. Supports ACL, RBAC, and other access models.

Like the unix tree command but for GCP Org hierarchy.

A collection of resources that provide insights into how to create effective security programs.

AWS STS now offers the ability to specify a unique identity attribute for your workforce identities and applications when they assume an IAM role. This new SourceIdentity attribute makes it easier to determine the identity that performed the actions while the role was assumed.

This post explores the value and use of the NIST CSF as a framework to establish your security objectives, assess your organization's current capabilities, and develop a plan to improve and maintain your desired security posture.

How to use AWS IAM Access Analyzer to automate the detection of public access to resources in an AWS account.

AWS Control Tower is releasing four new, less restrictive, mandatory preventative S3 Log Archive guardrails and changing the guidance of the four previous, more restrictive, preventative S3 Log Archive guardrails from mandatory to elective. With these guardrail changes you can now separate S3 Log Archive governance for resources created by AWS Control Tower from governance for the S3 resources you create.

Google Cloud CISO Phil Venables shares his perspective on industry news from spring 2021 and updates from Google's security team.

This guide presents an opinionated view of Google Cloud security best practices, organized to allow users to adopt or adapt them and then automatically deploy them for their estates on Google Cloud.

With workload Identity federation, you can securely operate your workloads and no longer have to worry about managing service account keys.

Google CAS can help manage certifications at scale. Here's how to put it to work.

GCP's compliance-related initiatives like expanding the list of FedRAMP High certified products and providing new capabilities for North American public sector agencies, assisting with data protection and security requirements in APAC, and evolving with region-specific regulatory requirements in Europe.

A Security Orchestration, Automation and Response (SOAR) solution offers a path to handling the long series of repetitive tasks involved in incident triage, investigation and response, letting analysts focus on the most important incidents and allowing SOCs to achieve more with the resources they have.

Create new Azure Kubernetes Service (AKS) clusters using images from Microsoft's container repository.