[{"content":" ✓ Human-authored analysis; AI used for formatting and proofreading A 2025 survey by the UK government, it was found that 41% of micro-businesses and 50% of small businesses have experienced either an attack or a data breach.\nIn another 2025 study by the University of Maryland, small businesses are at much higher risk of a financial disaster given their limited resources in contrast to big corporations that are already spending millions of US dollars on their cybersecurity posture. In the US, 99% of the companies are considered SMBs (based on US chamber of commerce data).\nNote Cybercriminals may find SMBs more attractive as a target compared to big corporations given the low effort required.\nMany SMBs view hiring an expert in cybersecurity as high cost, so they rely instead on their undertrained staff to handle cybersecurity. The harsh reality is that cybersecurity is a broad and specialized field that is distinct from the software engineering discipline which makes it hard for someone with a traditional software engineering background to perform proper threat modelling and propose appropriate policies and controls to lower or mitigate common risks. The same can also be said about traditional DevOps Engineers.\nMost employees lack training on how to recognize a phishing attack or best practices to protect customer data from accidental leakage or breaches.\nEven with cyber insurance, there is no guarantee that an incident will fall under the insurance policy\u0026rsquo;s coverage. Nevertheless, the damage a business can sustain from a data breach can permanently destroy it especially when customer trust is required. All US states have breach notification laws with varying scopes and timing (without unreasonable delay). As for fines, in New York for example, the fine can be $20/record (max USD 250k). In California, the fines can range from USD 2.5k to 7.5k per violation (without cap). The penalties under HIPAA are even bigger going up to USD 1.5m annually.\nAs a cybersecurity professional coming from a software engineering background, I know that cybersecurity risks are treated as an afterthought for real due to multiple factors starting with business priorities to lack of training and awareness.\nSMBs don\u0026rsquo;t actually need to hire an entire team of cybersecurity professionals or pay huge amounts of money to big consulting firms. They can instead hire consultants with scoped engagements.\nCompanies can treat the costs of obtaining and maintaining ISO 27001 certification and good standing as a marketing cost since clients are becoming more sensitive to the security of their data since we live today in the digital era (soon AI era). Gold is no longer stored in a closet but as numbers in a database on a server.\nThe cost of cybersecurity consultancy remains minor to the cost of a major data breach as well as PR management and asking your marketing teams and sales to handle the aftermath.\n","date":"19 June 2026","externalUrl":null,"permalink":"/posts/smb-common-mistake/","section":"Posts","summary":"The dangerous assumption that SMBs are too small to be targeted leads directly to data breaches. This post explains why cybercriminals specifically target small businesses, how this misconception causes SMBs to skip hiring security consultants, and the critical protections needed to prevent breaches.","title":"\"We're Too Small to Be Targeted\" is Why They Never Saw It Coming","type":"posts"},{"content":"","date":"19 June 2026","externalUrl":null,"permalink":"/tags/aws-security/","section":"Tags","summary":"","title":"AWS Security","type":"tags"},{"content":"","date":"19 June 2026","externalUrl":null,"permalink":"/categories/","section":"Categories","summary":"","title":"Categories","type":"categories"},{"content":"","date":"19 June 2026","externalUrl":null,"permalink":"/categories/cloud-security/","section":"Categories","summary":"","title":"Cloud Security","type":"categories"},{"content":"","date":"19 June 2026","externalUrl":null,"permalink":"/tags/cloud-security/","section":"Tags","summary":"","title":"Cloud Security","type":"tags"},{"content":"","date":"19 June 2026","externalUrl":null,"permalink":"/categories/data-breach-prevention/","section":"Categories","summary":"","title":"Data Breach Prevention","type":"categories"},{"content":"","date":"19 June 2026","externalUrl":null,"permalink":"/tags/data-breaches/","section":"Tags","summary":"","title":"Data Breaches","type":"tags"},{"content":"","date":"19 June 2026","externalUrl":null,"permalink":"/tags/gdpr/","section":"Tags","summary":"","title":"GDPR","type":"tags"},{"content":"Independent cloud security consulting focused on AWS security reviews, architecture, and practical risk reduction.\n","date":"19 June 2026","externalUrl":null,"permalink":"/","section":"Mousa Cloud Consulting Blog | Cloud Security Expert","summary":"","title":"Mousa Cloud Consulting Blog | Cloud Security Expert","type":"page"},{"content":"","date":"19 June 2026","externalUrl":null,"permalink":"/tags/pci-dss/","section":"Tags","summary":"","title":"PCI-DSS","type":"tags"},{"content":"","date":"19 June 2026","externalUrl":null,"permalink":"/posts/","section":"Posts","summary":"","title":"Posts","type":"posts"},{"content":"","date":"19 June 2026","externalUrl":null,"permalink":"/tags/risk-management/","section":"Tags","summary":"","title":"Risk Management","type":"tags"},{"content":"","date":"19 June 2026","externalUrl":null,"permalink":"/tags/s3-misconfiguration/","section":"Tags","summary":"","title":"S3 Misconfiguration","type":"tags"},{"content":"","date":"19 June 2026","externalUrl":null,"permalink":"/tags/security-consulting/","section":"Tags","summary":"","title":"Security Consulting","type":"tags"},{"content":"","date":"19 June 2026","externalUrl":null,"permalink":"/categories/smb-security/","section":"Categories","summary":"","title":"SMB Security","type":"categories"},{"content":"","date":"19 June 2026","externalUrl":null,"permalink":"/tags/smb-security/","section":"Tags","summary":"","title":"SMB Security","type":"tags"},{"content":"","date":"19 June 2026","externalUrl":null,"permalink":"/tags/","section":"Tags","summary":"","title":"Tags","type":"tags"},{"content":"","date":"19 June 2026","externalUrl":null,"permalink":"/tags/zero-trust/","section":"Tags","summary":"","title":"Zero Trust","type":"tags"},{"content":"","date":"13 June 2026","externalUrl":null,"permalink":"/tags/ai-security/","section":"Tags","summary":"","title":"AI Security","type":"tags"},{"content":"","date":"13 June 2026","externalUrl":null,"permalink":"/categories/ai-security--governance/","section":"Categories","summary":"","title":"AI Security \u0026 Governance","type":"categories"},{"content":"","date":"13 June 2026","externalUrl":null,"permalink":"/tags/compliance/","section":"Tags","summary":"","title":"Compliance","type":"tags"},{"content":"","date":"13 June 2026","externalUrl":null,"permalink":"/tags/policy-management/","section":"Tags","summary":"","title":"Policy Management","type":"tags"},{"content":"","date":"13 June 2026","externalUrl":null,"permalink":"/categories/security-governance/","section":"Categories","summary":"","title":"Security Governance","type":"categories"},{"content":"","date":"13 June 2026","externalUrl":null,"permalink":"/tags/security-governance/","section":"Tags","summary":"","title":"Security Governance","type":"tags"},{"content":" ✓ Human-authored analysis; AI used for formatting and proofreading I have been observing the landscape recently in cybersecurity and the more time I spend on tech communities, the harder it becomes to recognize a pattern.\nI see every day and every few minutes something along the lines of \u0026ldquo;Check out my new cool tool that automates ABC\u0026rdquo; or \u0026ldquo;I created a free assessment tool that will check all your controls and tell you XYZ\u0026rdquo; and so on.\nSimple Automation Mindset No Longer Stand Out # Unfortunately, we are still stuck on a mindset during the pre-AI era about how cool automation is and how valuable our coding skills are. However, the blind spot a lot of tech professionals today are missing is that the value proposition of automation no longer helps you stand out.\nWith AI, generating code or automating certain tasks became so easy that the bar for generating prod ready tools is almost non-existent at this point (except for software that solves complex problems).\nJensen Huang (NVIDIA CEO)\n\u0026ldquo;It is our job to create computing technology such that nobody has to program, and the programming language is human.\u0026rdquo; — February 2024, World Government Summit in Dubai\nSam Altman (OpenAI CEO)\n\u0026ldquo;I have so much gratitude to people who wrote extremely complex software character-by-character. It already feels difficult to remember how much effort it really took. Thank you for getting us to this point.\u0026rdquo; — Sam Altman, posted on X (Twitter), March 2026\nDario Amodei (Anthropic CEO)\n\u0026ldquo;I have engineers within Anthropic who say I don\u0026rsquo;t write any code anymore. I just let the model write the code, I edit it.\u0026rdquo; — Dario Amodei, World Economic Forum in Davos, January 2026\nIt is naive to think that an industry projected to reach USD 1 trillion dollars by 2027 will disappear overnight or that they will face an obstacle and give up. Those are companies with massive investments so failure is not in their dictionary. As of today, the AI market have reached USD 617.62bn (according to Statista).\nThe above doesn\u0026rsquo;t only apply to Software Engineering but also to Cybersecurity as well.\nAI Tokens Cost Vs. Hiring Humans # It was already known that AI companies were largely running at a loss for a few years, and now we see that the overall cost of running AI agents has increased dramatically due to high adoption and hunger for compute power (https://www.businessinsider.com/openclaw-ai-demand-token-use-surge-nvidia-pricing-jumps-2026-2). Rumors suggest that we will go back to hiring humans instead of relying on AI but there is a huge flaw in this argument.\nAI, like every technology, is always costly and not so efficient at the beginning. It only takes a breakthrough before we see the tokens\u0026rsquo; prices become a lot cheaper. Therefore, the idea that suddenly tokens prices are going to turn back industries away from AI and into hiring humans like they used to in the past is maybe true for the short term but less likely to remain a reality.\nA well-developed LLM can spot vulnerabilities and threats much faster than a human can do no matter how fast they work. A vulnerability that takes a Security Engineer to spot and patch in hours can be done by AI within minutes. This significantly reduces the cost per hour for companies.\nImportant AI security solutions do require human intervention and maintenance. Companies still need AI Security and Governance specialists.\nThe Market Is Flooded with SIEM Solutions and Tools # According to an IDC survey, organizations on average are dealing with 10 to 15 security vendors and 60 to 70 security tools (Source: IDC survey, as reported by CrowdStrike, 2024).\nIf anything, companies are trying to actually slash down the number of tools and even encouraging their internal engineers not to create any additional tools without an internal review process. This is based on my personal observation across multiple industries.\nIs it important that you can write a script or create some tool? Of course! The point is that, you need to take into account that when you step into a tech company, your script or tool might work only in the short-term for a problem that the organization may consider not worth buying a SaaS solution for.\nFrom my personal experience in big tech, I had to pause sometimes to think which tool to use since each company had dozens in production (even if they didn\u0026rsquo;t really want them).\nWhy Security Engineering Mindset Is Better Than Automation # The value of developing a tool to check policy violations is very weak if the architecture itself is flawed.\nQuite often, you\u0026rsquo;ll find problems that can be solved by a configuration tweak without writing a single piece of code.\nYou might, for example, be tempted to restrict access to AWS S3 and develop a service that stands between the customer and the bucket to ensure only authorized access when all you had to do was simply enable pre-signed URLs.\nAnother example: you could be tempted to develop a tool to revoke access of AI agents when a more pragmatic approach could have been granting AI agents authorization tokens with TTLS instead.\nSometimes, the problem is not collecting regulated data but the lack of secure design. If your organization can fill a gap by simply enabling encryption when a client inputs their data into a form, would you still try to develop a new tool?\nSecurity and Governance # What was discussed above is only part of security and governance; and if I\u0026rsquo;m to cover every aspect of security and governance, I\u0026rsquo;d probably need more than just a blog post to cover them.\nSecurity and governance is a broad topic but a cybersecurity professional who is proficient in a few of its aspects can offer more value than an engineer who can write a for loop.\nBelow is a non-exhaustive list of topics that fall under security and governance:\nPolicies (with leadership backing) Compliance (e.g. GDPR, PCI-DSS, ISO 27001, etc\u0026hellip;) Accountability (who owns what) Standards Audit processes (verifying controls and compliance) You can offer an organization a much stronger value proposition, if you can for example advise their dev team on how to handle PII in their code.\nWhen to Develop New Tool # If you wish to develop a new tool, try to ask yourself the following questions:\nWhat problem exactly I\u0026rsquo;m trying to solve? Have someone already made something similar? If I were a client, is the value proposed compelling enough that I\u0026rsquo;d spend thousands of US dollars for? Will my tool do something that AI and other LLMs cannot do no matter what? You can perform a simple smoke test by simply running a search on any search engine of your idea and see if it already exists.\nThere are genuinely situations where organizations have neither the time nor resources to acquire a new SaaS solution for a specific problem, and you may be asked to solve it using automation or custom script but more often than not, your tool will be replaced later on by a SaaS provider who has signed an SLA with blood, and they have 24/7 dedicated teams for support. SaaS providers need to meet standards and regulations such as the ISO 27001 and have a strong track record.\nConclusion # I must emphasize that I\u0026rsquo;m not saying that developing tools is wrong or bad. What I\u0026rsquo;m trying to prompt is change of mindset. The question or challenge of today is no longer \u0026ldquo;How can I automate this?\u0026rdquo;, but rather, \u0026ldquo;How can I create systems that are scalable, efficient, resilient and secure\u0026rdquo;.\n","date":"13 June 2026","externalUrl":null,"permalink":"/posts/stop-developing-tools/","section":"Posts","summary":"Organizations overinvest in security tools while underinvesting in governance. This post explains why security governance drives better outcomes than tool proliferation and how to implement it effectively.","title":"Stop Developing Tools, Focus on Security Governance Instead","type":"posts"},{"content":"","date":"13 June 2026","externalUrl":null,"permalink":"/tags/agentic-commerce/","section":"Tags","summary":"","title":"Agentic Commerce","type":"tags"},{"content":"","date":"13 June 2026","externalUrl":null,"permalink":"/tags/ai-commerce/","section":"Tags","summary":"","title":"AI Commerce","type":"tags"},{"content":"","date":"13 June 2026","externalUrl":null,"permalink":"/tags/ai-governance/","section":"Tags","summary":"","title":"AI Governance","type":"tags"},{"content":"","date":"13 June 2026","externalUrl":null,"permalink":"/categories/ai-security/","section":"Categories","summary":"","title":"AI Security","type":"categories"},{"content":"","date":"13 June 2026","externalUrl":null,"permalink":"/tags/chargebacks/","section":"Tags","summary":"","title":"Chargebacks","type":"tags"},{"content":" ✓ Human-authored analysis; AI used for formatting and proofreading Note This is an answer to a discussion on Quora. Click here to view the original discussion. Very high! Some credit card payment providers will return the money to the customer almost instantly upon a chargeback claim and then you’d have to prove that the customer actually authorized the payment.\nFor this concrete case, you need to be able to prove to the credit card company what the customer asked the AI agent exactly, prove that the agent asked for confirmation, the customer confirmed and that the actual order placed matches what the agent showed the customer initially.\nYou will need to have proper AI governance and security policies and procedures to satisfy PCI-DSS standards. Under most new AI governance and security standards (e.g. NIST AI RMF), logging is a default expectation especially what scope the user authorized the agent to perform. Also, if there is a human admin involved in the middle, you need to log their intervention too.\n","date":"13 June 2026","externalUrl":null,"permalink":"/posts/quora/ai-agent-chargeback-claims/","section":"Posts","summary":"A practical, security-focused answer on chargebacks, authorization evidence, audit trails, and AI governance in agentic commerce.","title":"How Much of an Issue Is Liability in AI Commerce When an AI Agent Buys Something a Customer Didn’t Intend?","type":"posts"},{"content":"","date":"13 June 2026","externalUrl":null,"permalink":"/tags/payments/","section":"Tags","summary":"","title":"Payments","type":"tags"},{"content":"","date":"13 June 2026","externalUrl":null,"permalink":"/tags/quora/","section":"Tags","summary":"","title":"Quora","type":"tags"},{"content":"","date":"13 June 2026","externalUrl":null,"permalink":"/categories/quora-answers/","section":"Categories","summary":"","title":"Quora Answers","type":"categories"},{"content":"","date":"12 June 2026","externalUrl":null,"permalink":"/categories/cybersecurity/","section":"Categories","summary":"","title":"Cybersecurity","type":"categories"},{"content":"","date":"12 June 2026","externalUrl":null,"permalink":"/tags/cybersecurity/","section":"Tags","summary":"","title":"Cybersecurity","type":"tags"},{"content":"","date":"12 June 2026","externalUrl":null,"permalink":"/tags/data-breach/","section":"Tags","summary":"","title":"Data Breach","type":"tags"},{"content":"","date":"12 June 2026","externalUrl":null,"permalink":"/tags/identity-theft/","section":"Tags","summary":"","title":"Identity Theft","type":"tags"},{"content":"","date":"12 June 2026","externalUrl":null,"permalink":"/tags/personal-data/","section":"Tags","summary":"","title":"Personal Data","type":"tags"},{"content":"","date":"12 June 2026","externalUrl":null,"permalink":"/tags/security-awareness/","section":"Tags","summary":"","title":"Security Awareness","type":"tags"},{"content":" ✓ Human-authored analysis; AI used for formatting and proofreading Note This is an answer to a discussion on Quora. Click here to view the original discussion. Primarily, information such as passport number, social security, date of birth or address are the riskiest.\nMany organizations with loose security policies and controls still use such information for authentication (e.g. via phone or chat support)\nThis list of course is not exhaustive unfortunately.\nPlatforms that use secret question/answer style for password recovery ask questions that an attacker could figure out by social engineering techniques.\nIt is also possible for attackers to combine multiple data including subtle ones to achieve a similar outcome.\nThey often also use the dark web to identify their target (entities with exposed or leaked sensitive data) by capitalizing leaked data they could find.\nTypes of identity theft:\nFinancial fraud Account takeover Synthetic identity (full-scale impersonation) It all boils down to how loose the security is in the institutions where your information could be used for unlawful activities.\nNote: All scenarios I’m mentioning apply when you don’t need to be either physically present and/or present a biometric document.\n","date":"12 June 2026","externalUrl":null,"permalink":"/posts/quora/identity-theft-via-information/","section":"Posts","summary":"A detailed Quora answer explaining which data elements are critical for identity theft and how attackers exploit them.","title":"What Needs to Be Compromised for Identity Theft?","type":"posts"},{"content":"","date":"9 June 2026","externalUrl":null,"permalink":"/tags/aws/","section":"Tags","summary":"","title":"AWS","type":"tags"},{"content":" ✓ Human-authored analysis; AI used for formatting and proofreading Note This is an answer to a discussion on Quora. Click here to view the original discussion. There are many reasons that make cloud security more challenging than traditional on-premise security.\nIn essence, the following factors play a huge role:\nOn public cloud, you\u0026rsquo;re renting infrastructure from another company. On public cloud, you have no say over what security measures the cloud provider has for their data centers. Cloud security requires deeper networking expertise beyond simply the server vs. client model. The fundamentals of cloud computing require making data and services accessible remotely via internet which carries alongside all the risks associated with the internet. Lack of training and expertise in cloud technology is the primary cause behind misconfigurations which lead to either data loss or breaches. The above, of course, is not an extensive list. OWASP has listed the following top 10 risks:\nCloud Misconfiguration Insecure Identity and Access Management (IAM) Insecure Cloud Storage Insecure Cloud Network Configurations Insecure Workload Configurations Sensitive Data Exposure Insufficient Logging and Monitoring Insecure CI/CD Pipeline Insecure Third-Party Integrations Insufficient Cloud Security Posture Management (CSPM) In addition to all of the above, regulated industries require adhering to several standards such as the PCI-DSS and HIPAA. Therefore, it is not enough to secure your cloud; you also need to have adequate logging, monitoring, policies and controls in place. While on-premise also requires compliance with the same standards, on the cloud, it\u0026rsquo;s more complex since except the endpoints made available to the cloud consumers, you sometimes need to ask the cloud provider for extra logs as well as cooperation with legal holds during investigations by authorities.\nWhy do companies still bother with all of these complexities? It is very efficient since you only pay for what you use, and you don\u0026rsquo;t need to handle constant hardware procurement and all the overhead entailed.\n","date":"9 June 2026","externalUrl":null,"permalink":"/posts/quora/why-cloud-security-such-a-challenge/","section":"Posts","summary":"A full answer to a Quora question on why cloud security is such a challenge.","title":"Why Is Cloud Security Such a Challenge?","type":"posts"},{"content":"","date":"8 June 2026","externalUrl":null,"permalink":"/tags/authentication/","section":"Tags","summary":"","title":"Authentication","type":"tags"},{"content":"","date":"8 June 2026","externalUrl":null,"permalink":"/tags/iam/","section":"Tags","summary":"","title":"IAM","type":"tags"},{"content":"","date":"8 June 2026","externalUrl":null,"permalink":"/categories/identity--access-management/","section":"Categories","summary":"","title":"Identity \u0026 Access Management","type":"categories"},{"content":"","date":"8 June 2026","externalUrl":null,"permalink":"/tags/identity-management/","section":"Tags","summary":"","title":"Identity Management","type":"tags"},{"content":"","date":"8 June 2026","externalUrl":null,"permalink":"/tags/mfa/","section":"Tags","summary":"","title":"MFA","type":"tags"},{"content":"","date":"8 June 2026","externalUrl":null,"permalink":"/tags/passwordless-authentication/","section":"Tags","summary":"","title":"Passwordless Authentication","type":"tags"},{"content":"","date":"8 June 2026","externalUrl":null,"permalink":"/tags/phishing-resistance/","section":"Tags","summary":"","title":"Phishing Resistance","type":"tags"},{"content":"","date":"8 June 2026","externalUrl":null,"permalink":"/categories/security-best-practices/","section":"Categories","summary":"","title":"Security Best Practices","type":"categories"},{"content":" ✓ Human-authored analysis; AI used for formatting and proofreading According to a 2024 study by Ponemon-Sullivan Privacy Report, it was found that around 76% of organizations surveyed in the US haven\u0026rsquo;t adopted passwordless yet.\nGiven the rapidly evolving landscape of the internet and AI, the lag in adopting passwordless is a concern worthy of highlighting.\nPasswords Are Not Enough Anymore # Hackers have figured out long ago, many ways to obtain passwords. All it takes for an account to be compromised, is one vulnerable service running on a server or side channel attacks and the password would already be sold on the dark web for the highest bidder.\nDespite the fact that many organizations have raised the baseline password\u0026rsquo;s complexity to comply with the standards and regulations, there are still other challenges:\nPassword rotation fatigue employees who may not be very tech-savvy (or use password managers), so they resort to workarounds that could compromise their passwords. How passwords are stored cannot be ignored. Security level among applications that do use passwords can be inconsistent. This means for example, your banking application might be very secure but this may not be true if you\u0026rsquo;re using the same password for a partner site or service. Even passwords that are encrypted at rest can be compromised if the encryption algorithm is weak or contain vulnerabilities. Hackers often use social engineering to try to guess passwords using password cracking tools. Short and predictable passwords can be cracked anywhere in seconds to a few minutes. What makes relying on passwords only even more risky, is that around 80% of organizations haven\u0026rsquo;t adopted yet zero trust architecture which means that all it takes is one compromised password or account and hackers can install malware to extract others\u0026rsquo; passwords (APT). This is as per the same study by Ponemon-Sullivan Privacy Report in 2024.\nThe above scenarios of course assume that users do not have adequate 2FA configured or their 2FA channels are also compromised (e.g. zero-click attacks on mobile devices).\nHow Does Passwordless Solve The Problem? # Passwordless implementations such as FIDO2 for example significantly reduce the risks associated with passwords handling because the passwordless device itself becomes the authenticator. This can come in the form of BYOD or for example hardware security keys (e.g. Yubikeys are a popular solution).\nWhen you enroll a passwordless compatible device, the device generates private and public keys. The private key which contains the secret (random number) never leaves the device or cannot be extracted. In addition the private key is calculated from the web service domain alongside the secure secret generated.\nTip Since the private key uses the web service domain alongside the secret, this makes phishing attacks much harder.\nSince each login uses a different random challenge signed with the private key, replay attacks become useless.\nSome passwordless authenticators may also be compatible with biometric authentication such as face recognition or finger prints which reduces theft risks.\nExamples of passwordless solutions:\nFIDO2 (Fast Identity Online) -\u0026gt; Most secure OTP (One Time Password) Biometric Authentication. Magic Links (one-time links) Mobile App-Based Third-Party Identity Providers (e.g. Azure AD, Okta and Ping Identity) Certificates and Tokens Physical Tokens Why Organizations Are Lagging Behind? # The main challenge organizations still face in passwordless\u0026rsquo;s adoption is account recovery. If passwords are phased out without having reasonably secure options for account recovery, there is a significant risk of access loss.\nOther factors contributing to the slow adoption such as legacy systems and employees getting overwhelmed with the change.\nNo Standard Account Recovery Solution # As of today, organizations are implementing different procedures for account recovery. For example, some organizations would require the employee to come personally to the workplace in order to restore access. Others provide for example hotlines where they get asked different challenge questions and need to execute one extra step to restore their access.\nWhy Organizations Need to Prioritize Passwordless # Since secrets never leave the device in case of FIDO2, it\u0026rsquo;s much harder for attackers to extract the secrets and use them.\nNote While most passwordless compatible devices are secure, this doesn\u0026rsquo;t mean that side channel attacks are impossible. For instance, during testing, NinjaLab found a vulnerability (EUCLEAK) in the cryptographic library that made it possible for them to clone the key. Yubico advised users to either upgrade or purchase newer, patched version of Yubikeys.\nTransitioning the organization to passwordless standards requires both technical expertise and most importantly the backing of leadership and dedicated effort when it comes to dealing with legacy systems. Quite often, organizations would try instead to deprecate incompatible systems in favor of building or buying licenses for compatible ones.\n","date":"8 June 2026","externalUrl":null,"permalink":"/posts/why-organizations-missing-passwordless/","section":"Posts","summary":"Despite passwordless authentication’s superior security benefits, 76-86% of organizations haven’t fully adopted it. This post explores the key barriers preventing passwordless adoption and how to overcome them.","title":"Why Organizations Are Still Missing Out on Passwordless Adoption","type":"posts"},{"content":"","date":"6 June 2026","externalUrl":null,"permalink":"/tags/data-privacy/","section":"Tags","summary":"","title":"Data Privacy","type":"tags"},{"content":"","date":"6 June 2026","externalUrl":null,"permalink":"/tags/encryption/","section":"Tags","summary":"","title":"Encryption","type":"tags"},{"content":" ✓ Human-authored analysis; AI used for formatting and proofreading Note This is an answer to a discussion on Quora. Click here to view the original discussion. This is a very good question and your concerns are valid especially today.\nNowadays, companies are more gearing towards open-source solutions. While mainstream cloud providers such as AWS, Azure and others are still being used, security best practices still apply regardless of the cloud provider. In addition, companies increasingly adopting a mix between native cloud solutions and open-source for the same reason. This is why containers are important.\nSome companies that adopt a multi-cloud strategy reduce confidentiality risks by having for example encryption keys handled by third party (not with the same cloud provider). This allows them to reduce the risks of vendor\u0026rsquo;s insider threats.(Check below figure)\nThis strategy helps isolate the data from the cloud providers and reduce vendor related risks.\nAs for encryption, AES 256 based encryptions are still considered strong enough. Quantum computing will definitely require many organizations to change their encryption algorithms but good news is that Quantum resistant encryption is already taking pace in the market.\nAI vulnerabilities are real and this is why companies that are taking structured approach towards AI, are using AI to mitigate AI related risks.\nGovernment backdoors are a real problem that hurts both businesses and public trust. This is why we will see more and more adoption of End-to-End encryption. Currently a lot of platforms have either true E2E or semi-E2E. End-to-End encryption became now almost a trust standard but some companies unfortunately are using deceptive tactics to promote themselves as E2E when they actually are not.\nTo prove that E2E solves the problem of backdoors, there were attempts by the UK government to ban it in 2015 but it didn\u0026rsquo;t go through. (Ellis, C. (2018). \u0026lsquo;On Backlash: Emotion and the Politicisation of Security.\u0026rsquo; Politics, 38(3), pp. 267-284. Political Studies Association, UK.)\nFrom commercial perspective, no business benefits from having compromised security or government backdoors because it hurts clients\u0026rsquo; trust and confidence.\nOrganizations quite often think that compromising privacy improves security but as a matter of fact, it doesn\u0026rsquo;t. There are always other alternative methods that organizations can follow without compromising privacy but it boils down to leaders to be aware of the risks of solutions that compromise privacy.\n","date":"6 June 2026","externalUrl":null,"permalink":"/posts/quora/cloud-security-challenges-ai/","section":"Posts","summary":"A practical, security-focused answer on safeguarding cloud environments against modern encryption and AI-driven threats.","title":"How Do You Protect Privacy \u0026 Security in Cloud Platforms Amid Encryption Risks and AI Threats?","type":"posts"},{"content":"","date":"5 June 2026","externalUrl":null,"permalink":"/tags/backup-strategy/","section":"Tags","summary":"","title":"Backup Strategy","type":"tags"},{"content":"","date":"5 June 2026","externalUrl":null,"permalink":"/tags/cloud-storage/","section":"Tags","summary":"","title":"Cloud Storage","type":"tags"},{"content":"","date":"5 June 2026","externalUrl":null,"permalink":"/tags/data-backup/","section":"Tags","summary":"","title":"Data Backup","type":"tags"},{"content":"","date":"5 June 2026","externalUrl":null,"permalink":"/tags/data-security/","section":"Tags","summary":"","title":"Data Security","type":"tags"},{"content":" ✓ Human-authored analysis; AI used for formatting and proofreading Note This is an answer to a discussion on Quora. Click here to view the original discussion. It depends on your risk management approach. If you put all the physical drives together in one spot, then the answer is no.\nA better approach would be \u0026ldquo;Hybrid\u0026rdquo;. Store your data on physical drives and have a well encrypted backup on the cloud.\nMost cloud providers have measures to ensure that your data won\u0026rsquo;t be lost if a data center went down or if they had hardware failures.\nThe real risk of backing data on the cloud mostly boils down to whether or not you chose a good cloud provider and if you configured protection properly.\nIt is possible for instance to have encrypted backups on the cloud but never share or store the decryption keys on the cloud.\nYou need also to take into account environmental factors about the physical location of your drives. If your area is known for having floods, storms, tornadoes, etc\u0026hellip;, then well positioned cloud providers can help you mitigate the risk.\nHardware drives are made of metal materials that overtime do degrade so even if you won\u0026rsquo;t touch your drives for many years, if the environment where they are stored is not well maintained, the drives might fail. Of course, this is not a common scenario when it comes to the hardware, but I\u0026rsquo;m trying to point out that there is no risk free option.\nIf you ask me about industry best practices, follow the 3-2-1 backup rule (3 copies, 2 different media and 1 offsite).\n","date":"5 June 2026","externalUrl":null,"permalink":"/posts/quora/drivers-backup-vs-cloud/","section":"Posts","summary":"A full Quora answer explaining the advantages and disadvantages of multiple drive backups versus cloud storage for data security.","title":"Is Backing Up to Multiple Drives Safer Than Cloud Storage?","type":"posts"},{"content":"","date":"5 June 2026","externalUrl":null,"permalink":"/tags/multiple-drives/","section":"Tags","summary":"","title":"Multiple Drives","type":"tags"},{"content":"","date":"5 June 2026","externalUrl":null,"permalink":"/tags/physical-storage/","section":"Tags","summary":"","title":"Physical Storage","type":"tags"},{"content":"","date":"5 June 2026","externalUrl":null,"permalink":"/tags/ai-infrastructure/","section":"Tags","summary":"","title":"AI Infrastructure","type":"tags"},{"content":"","date":"5 June 2026","externalUrl":null,"permalink":"/tags/antitrust/","section":"Tags","summary":"","title":"Antitrust","type":"tags"},{"content":"","date":"5 June 2026","externalUrl":null,"permalink":"/tags/cloud-competition/","section":"Tags","summary":"","title":"Cloud Competition","type":"tags"},{"content":"","date":"5 June 2026","externalUrl":null,"permalink":"/tags/ftc/","section":"Tags","summary":"","title":"FTC","type":"tags"},{"content":"","date":"5 June 2026","externalUrl":null,"permalink":"/categories/industry-analysis/","section":"Categories","summary":"","title":"Industry Analysis","type":"categories"},{"content":"","date":"5 June 2026","externalUrl":null,"permalink":"/tags/industry-analysis/","section":"Tags","summary":"","title":"Industry Analysis","type":"tags"},{"content":"","date":"5 June 2026","externalUrl":null,"permalink":"/tags/microsoft-azure/","section":"Tags","summary":"","title":"Microsoft Azure","type":"tags"},{"content":" ✓ Human-authored analysis; AI used for formatting and proofreading Note This is an answer to a discussion on Quora. Click here to view the original discussion. Honestly speaking, I’m not surprised about this. Actually, every cloud service provider has locked in their customers with a service or terms that make it difficult to switch. Therefore, this is not unique to Microsoft. However, what’s concerning to me is, if demand on data centers generated by OpenAI was all controlled by one entity (Microsoft). This means that Microsoft made it harder for other service providers to offer more efficient or more environmentally friendly data center solutions since AI does require data centers.\nFTC\u0026rsquo;s main concern is that Microsoft\u0026rsquo;s deal with OpenAI in 2019 has barred other workload providers from competing with Azure potentially negatively impacting fair competition, innovation and sustainability.\n","date":"5 June 2026","externalUrl":null,"permalink":"/posts/quora/reaction-microsoft-ftc/","section":"Posts","summary":"An analysis of the FTC’s antitrust investigation into Microsoft’s Azure cloud services and AI industry practices, examining vendor lock-in and market consolidation concerns.","title":"Microsoft's Azure Antitrust Investigation: What This Means for Cloud Competition","type":"posts"},{"content":"","date":"5 June 2026","externalUrl":null,"permalink":"/tags/vendor-lock-in/","section":"Tags","summary":"","title":"Vendor Lock-In","type":"tags"},{"content":" ✓ Human-authored analysis; AI used for formatting and proofreading Note This is an answer to a discussion on Quora. Click here to view the original discussion. According to Zero Trust principles, assume every surface is vulnerable and do not trust without verification. It allows specific traffic while denying all others.\nImportant When it comes to cloud, we can\u0026rsquo;t talk about zero trust without talking about Microsegmentation.\nMicrosegmentation is a network security technique where each application, device or workload is protected by granular security zones. Similar to VLANs but more granular. Microsegmentation is achieved using a combination of firewalls, security groups, VPCs (AWS), roles and other security services.\nGreat example is when you separate each department in an organization by creating dedicated VPC for each (alongside security groups, NACLs and routing).\nSuch techniques achieve the following:\nReduced attack surface. (Prevents East-West attack movements) Protecting critical applications. Better regulatory compliance. Easier maintenance and management of each asset. One of the biggest challenges of achieving Zero Trust is when there is a conflict between Zero Trust principles and business requirements including lifecycle policy management.\n","date":"4 June 2026","externalUrl":null,"permalink":"/posts/quora/cloud-zero-trust/","section":"Posts","summary":"A full answer to a Quora question on how zero trust cloud security works.","title":"How Does Zero Trust Cloud Security Work?","type":"posts"},{"content":"","date":"4 June 2026","externalUrl":null,"permalink":"/tags/network-security/","section":"Tags","summary":"","title":"Network Security","type":"tags"},{"content":"","date":"4 June 2026","externalUrl":null,"permalink":"/categories/ai-governance/","section":"Categories","summary":"","title":"AI Governance","type":"categories"},{"content":"","date":"4 June 2026","externalUrl":null,"permalink":"/tags/ethics/","section":"Tags","summary":"","title":"Ethics","type":"tags"},{"content":"","date":"4 June 2026","externalUrl":null,"permalink":"/tags/human-rights/","section":"Tags","summary":"","title":"Human Rights","type":"tags"},{"content":"","date":"4 June 2026","externalUrl":null,"permalink":"/tags/owasp/","section":"Tags","summary":"","title":"OWASP","type":"tags"},{"content":" ✓ Human-authored analysis; AI used for formatting and proofreading AI\u0026rsquo;s Rapid Growth and Lack of Regulation # AI security is not only about protecting passwords and secrets, but it\u0026rsquo;s about ensuring human safety first and foremost just as in software security in general.\nWe have seen recent years how AI has been rapidly expanding and similar to the internet at the beginning, the legal and regulatory bodies were still catching up; we are seeing at the moment a similar pattern taking place. Despite the fact that we have seen new standards and frameworks (e.g. NIST AI RMF) addressing the need for more responsible and safe AI usage, there are still a lot of concerns about which direction AI is going while corporations are rapidly pushing AI development to race the regulators instead of coordinating with regulators on what\u0026rsquo;s acceptable and what not.\nWe have seen recently several instances where AI solutions have been used recklessly by certain organizations without proper controls or testing which led to several tragic incidents and loss of lives.\nNote A perfect example of AI-caused loss of lives is Tesla\u0026rsquo;s autopilot fatal crashes which so far led to 467 crashes, 54 injuries and 14 deaths. This is according to NHTSA\u0026rsquo;s updated findings. Read the full PBS article on NHTSA\u0026rsquo;s investigation\nOWASP \u0026amp; AI # According to OWASP AI Testing Guide, human oversight is required to ensure safety and security of any AI-based products or solutions. This is implemented by having several human-in-the-loop checkpoints for any critical AI decisions as well as proper monitoring and logging of any human intervention.\nIn addition, there have been rising concerns of bias since LLMs can be biased depending on what training data they have been fed. This is why it must be ensured that LLMs are tested against bias. Check OWASP Top 10 for LLM Applications\nOverconfidence Challenge # Overconfidence in AI will remain one of the biggest challenges to address since a lot of organizations jumped into the AI wagon without assessing the organization\u0026rsquo;s AI maturity and without structured governance framework and policies in place.\nAI models and LLMs do make mistakes and do have flaws and over-reliance on AI, especially in sensitive situations, could lead to catastrophic consequences.\nWhile AI has definitely made it easier for malicious actors to compromise software, we should not forget that OWASP has a duty as well to prevent AI from being used in ways that may violate human rights or compromise human dignity.\nWill the EU AI Act address the long sought after answers?\nWhat do you think that we as cybersecurity practitioners can do to fill in the gaps and go above and beyond to prevent AI from ever being used in a way that could compromise safety and human life?\n","date":"4 June 2026","externalUrl":null,"permalink":"/posts/ai-human-rights/","section":"Posts","summary":"An exploration of OWASP’s duty to human rights and why AI security matters for protecting vulnerable populations.","title":"OWASP's Duty to Human Rights: Why AI Security Matters for Human Dignity","type":"posts"},{"content":"","date":"4 June 2026","externalUrl":null,"permalink":"/tags/software-security/","section":"Tags","summary":"","title":"Software Security","type":"tags"},{"content":"","date":"4 June 2026","externalUrl":null,"permalink":"/categories/thought-pieces/","section":"Categories","summary":"","title":"Thought Pieces","type":"categories"},{"content":" ✓ Human-authored analysis; AI used for formatting and proofreading Note This is an answer to a discussion on Quora. Click here to view the original discussion. Does it matter? Yes. Is it compulsory? No.\nWhy it matters: When you have a solution that has for example identity and AI integrated together, it makes response to suspicious activities or compromised identities a lot faster. In essence, having multiple integrations in one product helps address potential blind spots.\nAs more companies are adopting zero trust, it becomes essential to have those integrations because each surface is treated as a vulnerability. For example, imagine that you want to verify that sensitive actions are both authenticated and authorized, it would be difficult to implement without having some level of integration with identity solutions and network monitoring solutions.\nWhen you say cybersecurity products, you need to be more specific because anti virus software is also a cybersecurity product.\nGenerally speaking, if you are talking about enterprise cybersecurity products in an organization with 1000s of users, then by ideally, identity should be integrated specially when it comes to BYOD.\nIf the product is for example related to monitoring network activities, then you need network integration.\nSpeaking of cloud, it\u0026rsquo;s hard nowadays to imagine anything that runs purely on premise so I\u0026rsquo;d say if a product is not cloud friendly or lacks cloud integrations, it\u0026rsquo;s definitely a red flag since most enterprises are using cloud solutions.\nAI fits very well in monitoring suspicious network activities so it\u0026rsquo;s very suitable for products that specialize in that.\nNow, can we have all of those in one cybersecurity solution? Absolutely! Many providers today like AWS offer many services that cover all companies\u0026rsquo; needs but they require proper configuration.\nNote AI integration is still relatively new. So while it\u0026rsquo;s useful as a tool at some point, it can also lead to failures due to overconfidence.\nThere are a lot of cybersecurity products nowadays and very strong competition among the providers, so in case you\u0026rsquo;re thinking of offering cybersecurity products, you will need to have strong differentiation.\nAs per my personal experience, providers sometimes add half baked features in order to be competitive, but I\u0026rsquo;ve seen those half baked solutions cause more harm than good. This is a pain area for a lot of companies because they get very competitive prices without realizing that they are going to be the beta testers.\nI\u0026rsquo;d say, I\u0026rsquo;d rather bet on a well established product with limited features rather than buying all in one products because some of them end up doing poorly on all of them.\nIf you have a product that has identity integration but its AI generates a lot of false positive alerts which causes work stoppages, then it\u0026rsquo;s definitely better not to have it.\n","date":"3 June 2026","externalUrl":null,"permalink":"/posts/quora/cybersecurity-products/","section":"Posts","summary":"A full answer to a Quora question on the importance of integrated cybersecurity solutions across network, cloud, identity, and AI.","title":"How Important Is It for Cybersecurity Products to Have Integrated Network, Cloud, Identity, and AI Security Solutions?","type":"posts"},{"content":"","date":"3 June 2026","externalUrl":null,"permalink":"/tags/identity-security/","section":"Tags","summary":"","title":"Identity Security","type":"tags"},{"content":"","date":"3 June 2026","externalUrl":null,"permalink":"/tags/platform-security/","section":"Tags","summary":"","title":"Platform Security","type":"tags"},{"content":"","date":"2 June 2026","externalUrl":null,"permalink":"/tags/data-exposure/","section":"Tags","summary":"","title":"Data Exposure","type":"tags"},{"content":"","date":"2 June 2026","externalUrl":null,"permalink":"/tags/misconfiguration/","section":"Tags","summary":"","title":"Misconfiguration","type":"tags"},{"content":"","date":"2 June 2026","externalUrl":null,"permalink":"/tags/s3/","section":"Tags","summary":"","title":"S3","type":"tags"},{"content":"","date":"2 June 2026","externalUrl":null,"permalink":"/tags/security-best-practices/","section":"Tags","summary":"","title":"Security Best Practices","type":"tags"},{"content":" ✓ Human-authored analysis; AI used for formatting and proofreading Note This is an answer to a discussion on Quora. Click here to view the original discussion. The most common problem or scenario that S3 users encounter is that they need their applications to access an object that is hosted on S3 bucket and during development stages, they either directly or indirectly make the S3 objects public without realizing.\nThis is why, AWS have made it possible for VPCs to access S3 buckets using Gateway Endpoints as an alternative to using public URLs over the public web and for scenarios where S3 users for example want to share files only to subscribers or premium customers, they can use pre-signed URLs with an expiry date or time.\nAnother scenario where S3 buckets get exposed is due to over permissive IAM role policy like in the example below. This is why professionals often setup restrictive SCPs to limit what accounts could access as a guardrail.\n{ \u0026#34;Effect\u0026#34;: \u0026#34;Allow\u0026#34;, \u0026#34;Action\u0026#34;: \u0026#34;s3:*\u0026#34;, \u0026#34;Resource\u0026#34;: \u0026#34;*\u0026#34; } If the service or account given unlimited access to the S3 bucket is compromised, an attacker can simply access all the bucket\u0026rsquo;s contents. This is why it\u0026rsquo;s better to give limited access to S3 buckets and when possible to create multiple buckets depending on data sensitivity.\nOther than that, a compromised user with open access to S3 or admin access is another possibility.\nS3 buckets\u0026rsquo; vulnerabilities are mainly misconfigurations or lack of training.\nLast but not the least, S3 buckets normally have a setting called \u0026ldquo;Block Public Access\u0026rdquo;. This is the top vulnerability as disabling it or misconfiguration of this setting can expose the entire bucket to the internet. There is no telling how much time it takes for bots and crawlers to hit it if it\u0026rsquo;s not enabled at creation or before any objects are stored in the bucket.\nAll of the above are few common examples. There are many other common mistakes or scenarios where S3 buckets get exposed. This is why, it\u0026rsquo;s crucial for organizations to invest in training their staff or employees on how to handle S3 buckets securely.\n","date":"2 June 2026","externalUrl":null,"permalink":"/posts/quora/typical-s3-vulnerabilities/","section":"Posts","summary":"A full answer to a Quora question on AWS S3 bucket misconfigurations and data exposure risks.","title":"What Typical Vulnerabilities in AWS S3 Buckets Lead to Accidental Data Exposure?","type":"posts"},{"content":"","date":"1 June 2026","externalUrl":null,"permalink":"/tags/data-center/","section":"Tags","summary":"","title":"Data Center","type":"tags"},{"content":"","date":"1 June 2026","externalUrl":null,"permalink":"/tags/infrastructure/","section":"Tags","summary":"","title":"Infrastructure","type":"tags"},{"content":"","date":"1 June 2026","externalUrl":null,"permalink":"/tags/private-cloud/","section":"Tags","summary":"","title":"Private Cloud","type":"tags"},{"content":"","date":"1 June 2026","externalUrl":null,"permalink":"/tags/public-cloud/","section":"Tags","summary":"","title":"Public Cloud","type":"tags"},{"content":" ✓ Human-authored analysis; AI used for formatting and proofreading Note This is an answer to a discussion on Quora. Click here to view the original discussion. For most businesses, private cloud is considered an overkill since the costs of private cloud can be prohibitive for general commercial businesses that do not handle much sensitive data.\nThe main problem or concern about public cloud is multi-tenancy. This means that for example if you\u0026rsquo;re renting a server (e.g. EC2 in AWS), you\u0026rsquo;re not getting a whole machine in AWS data center but instead a chunk (virtual machine). The other portions are used potentially by other customers.\nThe risk boils down to how well the virtual machines are isolated. A mistake or hole in the virtualization layer can be a serious risk. This is why most cloud providers offer VPC solutions or virtual private cloud where you can achieve similar results but you have more control using security groups, IAM policies, routing, encryption, etc\u0026hellip;\nPrivate cloud is often used for regulated industries such as healthcare, financial institutions and government. Many cloud providers also offer private cloud packages which is more cost-effective than building your own data center.\nUnfortunately, building a data center isn\u0026rsquo;t enough because you still need to have business and disaster recovery plans. When you build a data center, you run all the risks of a cloud provider in addition to your business risks. This is why private cloud is uncommon for typical businesses.\n","date":"1 June 2026","externalUrl":null,"permalink":"/posts/quora/private-vs-public-cloud/","section":"Posts","summary":"A full Quora answer explaining the advantages of private cloud over public cloud for business infrastructure.","title":"Public vs Private Cloud","type":"posts"},{"content":"","date":"1 June 2026","externalUrl":null,"permalink":"/tags/business-security/","section":"Tags","summary":"","title":"Business Security","type":"tags"},{"content":" ✓ Human-authored analysis; AI used for formatting and proofreading Note This is an answer to a discussion on Quora. Click here to view the original discussion. You have to think of cloud as your IT infrastructure but it\u0026rsquo;s on the \u0026ldquo;Cloud\u0026rdquo;.\nThe cloud providers typically are responsible for securing their data centers. However, depending on what layer you chose, you are responsible for securing the layers that you control. If you\u0026rsquo;re using IaaS (e.g. AWS EC2), then you\u0026rsquo;re responsible for patching your instances and also securing whatever is running on it. If you\u0026rsquo;re using PaaS (e.g. AWS Elastic Beanstalk), you have to secure access, data, configurations,secrets and the code that is running on it. Usually, IaaS requires more work than PaaS and SaaS with SaaS being the least amount of work (unless you are the SaaS provider).\nThe best cloud security solution is following industry standards and regularly auditing your security controls.\nWhen it comes to IAM, principle of least privilege and enforcement of role based access. Auditability and traceability using cloudtrail in case of AWS. Set up GuardDuty and make sure to set up notification rules and regularly monitor the logs for anomalies. You will always have errors in an application or system; classify those problems to reduce alert fatigue and treat unclassified problems as a risk since those could be symptoms of a security vulnerability. If you follow the zero trust approach, treat every surface as potential attack surface. Then you need to think of threat modeling. Data classification is also as important as all of the above. You can\u0026rsquo;t secure what you can\u0026rsquo;t see. This is a challenge when it comes to unstructured data. However, today most cloud providers offer solutions to detect sensitive data using LLM (I would not have that as first go solution). Cloud security is very broad and configurations depend on so many factors and each business have different risk tolerance and business requirements as well as legal and regulatory environments can be a journey.\nThis is why companies hire cloud consultants or experts on the matter because it\u0026rsquo;s a whole field of it\u0026rsquo;s own.\n","date":"1 June 2026","externalUrl":null,"permalink":"/posts/quora/cloud-security-solutions/","section":"Posts","summary":"A full answer to a Quora question on the best cloud security solutions for businesses.","title":"What Are the Best Cloud Security Solutions for Businesses?","type":"posts"},{"content":"Short, practical answers on cloud security, AWS, compliance, and AI governance.\nBrowse the posts below.\n","date":"31 May 2026","externalUrl":null,"permalink":"/posts/quora/","section":"Posts","summary":"Answers and articles adapted from Quora topics.","title":"Quora Answers","type":"posts"},{"content":"","date":"30 May 2026","externalUrl":null,"permalink":"/case-studies/","section":"Case Studies","summary":"","title":"Case Studies","type":"case-studies"},{"content":"","date":"17 May 2026","externalUrl":null,"permalink":"/authors/","section":"Authors","summary":"","title":"Authors","type":"authors"},{"content":"","date":"17 May 2026","externalUrl":null,"permalink":"/categories/aws/","section":"Categories","summary":"","title":"Aws","type":"categories"},{"content":"","date":"17 May 2026","externalUrl":null,"permalink":"/tags/devsecops/","section":"Tags","summary":"","title":"Devsecops","type":"tags"},{"content":"","date":"17 May 2026","externalUrl":null,"permalink":"/tags/guardduty/","section":"Tags","summary":"","title":"Guardduty","type":"tags"},{"content":"","date":"17 May 2026","externalUrl":null,"permalink":"/categories/incident-response/","section":"Categories","summary":"","title":"Incident-Response","type":"categories"},{"content":"","date":"17 May 2026","externalUrl":null,"permalink":"/tags/incident-response/","section":"Tags","summary":"","title":"Incident-Response","type":"tags"},{"content":"","date":"17 May 2026","externalUrl":null,"permalink":"/tags/iso-27001/","section":"Tags","summary":"","title":"Iso-27001","type":"tags"},{"content":"","date":"17 May 2026","externalUrl":null,"permalink":"/tags/monitoring/","section":"Tags","summary":"","title":"Monitoring","type":"tags"},{"content":"","date":"17 May 2026","externalUrl":null,"permalink":"/authors/mousa/","section":"Authors","summary":"","title":"Mousa","type":"authors"},{"content":" ✓ Human-authored analysis; AI used for formatting and proofreading Disclaimer: This is a hypothetical case scenario based on common AWS environments, past incidents and not about a particular company.\nOverview # Imagine a mid-sized SaaS provider in the US. The company provides customers with email marketing services and their clients are marketing agencies in the US.\nThe company uses AWS for its backend cloud operations and to process clients email marketing requests.\nThe company has a small trusted engineering team, and they never experienced before any security incidents or breaches; they normally focus on testing their services more than monitoring the infrastructure.\nSituation # As the digital landscape keeps evolving, the importance of the ISO 27001 became more compelling than ever before; so one day, the CEO asked the Engineering Lead to do what’s necessary to achieve ISO 27001.\nThe Engineering Lead called in an ISO 27001 external consultant. As the consultant began going through their checklist (ISO 27002), he asked about showing them what controls they have for AWS in regards to monitoring and incident response.\nThe Engineering Lead showed the consultant their AWS GuardDuty running as well as CloudWatch. The consultant noticed an alert in AWS GuardDuty that was not remediated yet. As the Engineering Lead was talking, he took a closer look at the alert and saw a warning about a suspicious API call made by an employee.\nWhen he looked up the employee’s name in the company records, he found out that the employee left the company long time ago.\nWhen he told the Engineering Lead, he was shocked, so he informed the DevOps team to check it out and report back on the matter.\nThey found out that the inactive employee was running a cron job before they were laid off to automate certain task related to data aggregation that was no longer valid or needed. The cron job wasn’t malicious but it was now risky.\nThis raised a lot of questions about the company’s monitoring and incident response controls since the alert was old but no one took action since it seemed that no one was really monitoring AWS GuardDuty and there was no proper notification channel.\nConstraints # While the company technically had AWS GuardDuty running, they lacked proper monitoring and incident response procedures in relation to cloud operations due to lack of expertise on the matter.\nThe company is a cloud customer or cloud consumer, so they thought that the responsibility of monitoring falls within the cloud service provider’s scope which goes against NIST’s Cloud Reference Architecture and ISO/IEC 17789. The cloud service providers are responsible of securing the cloud but the cloud consumers are responsible of securing what they build in the cloud.\nThe company’s cloud infrastructure was a blind spot.\nApproach # As a first step, I’d follow the IDEA approach to methodologically help the company fill this gap, so they can improve their odds of achieving the ISO 27001.\nInventory # Upon checking what the company is using currently, we found the following:\n• AWS GuardDuty (no notification or escalation configured)\n• AWS Config\n• AWS CloudWatch\n• AWS CloudTrail (bloated with lots of events)\nWe have also created a list of all the services the company is running on EC2 (the web application instances) to make sure they’re probably integrated into AWS CloudWatch.\nDesign # First and foremost, the company needs to have a policy in place regarding their cloud operations, responsibilities as well as monitoring and incident response procedures.\nPolicy:\nInfrastructure using cloud service providers require monitoring as well as remediation by the DevOps team to ensure business continuity and disaster recovery where applicable.\nProcedures:\n• All warnings and alerts need to be properly escalated through proper channels.\n• Events and alerts on AWS need to be classified based on their known criteria and unknown problem should be investigated till they are classified.\n• A team members needs to be on-call duty to monitor notification channels for any alerts or warnings from AWS GuardDuty, CloudWatch or others based on events’ rules configured via AWS EventBridge 24/7 (rotated between team members).\n• There should be a central NOC channel used by the DevOps and other related stakeholders to monitor for any anomalies or warnings.\n• The team needs to tidy up the logs or alerts that are known problems to prevent alert fatigue. (Achieved by properly classifying alerts).\n• The concerned teams need to train the staff by simulating scenarios that are risky and likely to happen using techniques that are available or convenient such as Tabletop, cyber-drills,red vs. blue team,etc…\nA concrete design for monitoring AWS in our case would look like this:\nExecute # Since we have already laid out the design or proper plan for improving the company’s posture in regards to cloud monitoring and incident response, the execution is what matters most.\nPhase 1: # Before this phase, the management should have already defined the roles and responsibilities of who will inherit the duties of monitoring cloud operations (usually DevSecOps Team members).\nThere is no point of enabling notifications if there is a huge number of false positives or alerts of known problems as they will only generate alerts fatigue and shadow more concerning ones which may slow down response or even worse missing it altogether.\nThe goal of this phase, is to run an analysis on all the alerts and warnings in all services and identify which patterns are informational, warnings, known problems, past incidents, etc…\nPhase 2: # Next, we will now setup EventBridge in AWS for each AWS service with proper SNS/SQS and notification channels (same as in diagram 1) but only for the type of events we care about.\nWe will setup also a separate channel for unknown problems or new alerts.\nBonus: If the company is storing data in S3, AWS Macie can be wired to EventBridge in order to notify in case of any content that violates company terms or exposes the company to legal risks.\nPhase 3: # Finally, in this phase, we are going to make sure that our new notification channels are working (e.g. Slack) and that the team are able to identify problems that needs attention and that the notifications aren’t being too disruptive, overly repetitive or confusing.\nPhase 4 (optional): # Now that we have a proper escalation procedures to respond to incidents prospectively, your team probably have missed other warnings or alerts in the past. Whether or not you’d like your team to retrospectively go back and remediate all past alerts can be helpful but you’ll most likely encounter a lot of alerts that may no longer be valid or issues that the team have actually remediated without knowing that they did.\nAssure # To make sure that the team’s incident response plan works, we need to remember that to many DevSecOps teams are working on important business deliverables such as production deployments, testing, pipelines, etc… so it won’t be enough to setup a policy and call it a day.\nTo make sure that the DevSecOps teams’ attention span still have some space for our new M \u0026amp; IR, we will schedule trainings in coordination with leaders on quarterly basis that adapt to ongoing problems or new incidents so both old team members and new ones are prepared.\nWe can get creative here as mentioned earlier, we have the following techniques. There is no single perfect technique, so organizations need to explore what works best for them since time and resources aren’t always a luxury:\n• Tabletop exercises: Simulate a scenario in a quiz like meeting with brain teasers.\n• Cyber drills: Simulate a real incident from past ones and help train team members on where to look and how to escalate.\n• Blue vs. Red team: Red team simulates what a real attacker would do and blue team responds.\n• Purple team exercises: Red and blue team work together collaboratively to understand how to spot and respond to specific incidents.\nThe company may already have monitoring and incident response plans, but more often than not, younger companies or startups, may lack the expertise specifically in relation to cloud despite the resources that most cloud providers such as AWS provide (AWS consultants) because they can be expensive and not every one in your DevSecOps teams will be trained particularly on such high level problems and governance related methodologies.\nImpact # With our plan, we have achieved multiple wins:\n• The team now have a structured approach to responding to problems.\n• Better traceability and accountability.\n• Reduced costs by responding earlier to either malicious activities or misconfigurations before they become full incidents.\n• Better controls that contribute better towards the ISO 27001 (and also checks ISO 27002).\n• Reducing potential downtime or risk of downtime for the company’s customers or clients.\nHow I can help # As a cloud security consultant and architect, I help SaaS teams like yours discover hidden risks, reduce audit headaches, and optimize AWS setup without interrupting performance. If this scenario feels familiar, let’s talk about where you are today and what a safer, more efficient architecture could look like for you.\nBook a short call.\nSend me a note\n","date":"17 May 2026","externalUrl":null,"permalink":"/case-studies/why-turning-on-aws-guardduty-is-not-enough/","section":"Case Studies","summary":"A mid-sized SaaS company had AWS GuardDuty enabled, but an old unresolved alert exposed a deeper gap in cloud monitoring and incident response readiness.","title":"Why Turning On AWS GuardDuty Is Not Enough","type":"case-studies"},{"content":"","date":"15 May 2026","externalUrl":null,"permalink":"/categories/compliance/","section":"Categories","summary":"","title":"Compliance","type":"categories"},{"content":"","date":"15 May 2026","externalUrl":null,"permalink":"/tags/data-residency/","section":"Tags","summary":"","title":"Data-Residency","type":"tags"},{"content":" ✓ Human-authored analysis; AI used for formatting and proofreading Disclaimer: This is a hypothetical case scenario based on common AWS environments, past incidents and not about a particular company.\nOverview # Imagine a mid-sized SaaS provider based in the United States serving clients globally including the EU.\nThe company provides customer-friendly file storage and sharing services with AWS S3 buckets at its backbone.\nThey started off as US focused company and after few years, they decided to begin offering services to the EU.\nSince they were testing the waters, they didn’t account yet for EU’s complex regulatory landscape and GDPR related matters.\nSituation # Their EU based QA team, found 2 problems during testing that required urgent escalation to management and engineering team in the US.\nThey found out that all customer uploaded files and data were stored in us-east-1 alongside all US customers’ data.\nThey also found that if an attacker crawled the S3 bucket’s domain address, there was no protection layer for the files and that anyone could access uploaded files if they figure out what the object URL is.\nThis was immediately escalated to legal and leadership team because under GDPR, if this would qualify as personal data breach, then the supervisory authority needs to be notified within 72 hours.\nLuckily, the company’s insurer covered the costs associated with the incident such as legal, forensic and notification, and they didn’t have yet a large enough customer base in the EU but this led the company to bring an expert to fix the breach.1\nConstraints # The company identified the following challenges to remediate this breach.\nThe EU and US have different regulatory requirements in relation to data retention which was not planned for at the beginning. The company’s marketing materials stated to EU clients that their data are stored within the EU when in fact, it is not. Creating a bucket in the EU and moving files there won’t happen overnight and requires a phased approach with proper testing to avoid outages or creating further compliance challenges. Approach # For such an engagement, I’d follow IDEA (Inventory, Design, Execute and Assure)\nInventory # • List all S3 buckets and their current configurations and applied ACL as well policies. • List S3 buckets that contain EU customers’ data. • Verify how the objects are being accessed by the client side.\nDesign # In terms of design, we will need to redesign the service to be more granular by having multiple S3 buckets per region with its own policies. This would help reduce the amount of backend development needed to address the problem.\nThe backend can simply change the destination bucket depending on customer’s location. Everything else could remain the same to maintain the customer’s current experience.\nIn regards to customers needing to have access to their data and request deletion, this can be a feature useful regardless of the region. Therefore, our new design would look like below:\nThis way, whenever a change in regulations happen in regards to data retention for example, or needing to place a legal hold on certain customer’s objects, this becomes more dynamic than before.\nExecute # Once we would identify all the above, we will need to implement the following steps where applicable to remediate the breach:\nThe backend application need to be coded to use presigned URLs for each object in S3 instead of simply storing public URLs. Create a new S3 bucket within the EU (e.g. eu-west-1) and configure S3 Batch Replication for identified EU customers objects’ paths only. Redirect all new EU requests to use EU S3 bucket. Make sure that all S3 buckets have “Block public access” enabled. Make sure that versioning is enabled for each S3 bucket. Once we verified the above, then we need to enable object lock and use Compliance Mode. Throughout the process, each step is well planned and tested first in a sandbox environment before rolling in the changes.\nWhile the steps are simple and iterations are short, each change must be properly documented and customers need to be let know in advance in case they will be impacted.\nAssure # By following a well planned agile approach, we would setup proper milestones after defining each success metric for steps implemented.\nLeadership will be updated on regular basis via weekly teams updates as well as demos as evidence of changes implemented.\nImpact # With the above changes implemented, it will have the following wins:\n• By using pre-signed URLs and blocking public access, this would help improve security so the objects are accessed only by the customer themselves and if pre-signed URLs are configured with short expiry, this would dramatically lower exposure. • By having S3 bucket per region, we would be able to dynamically configure each bucket to be in compliance with the given region such as respecting data retention requirements. • This design makes it also easy to onboard other regions.\nBonus: Since data retention and compliance requires enabling versioning by default in S3, this also hardens the security posture because with proper versioning and object locking, this dramatically reduces the risk of ransomware threats.\nHow I can help # As a cloud security consultant and architect, I help SaaS teams like yours discover hidden risks, reduce audit headaches, and optimize AWS setup without interrupting performance. If this scenario feels familiar, let’s talk about where you are today and what a safer, more efficient architecture could look like for you.\nBook a short call.\nSend me a note\n","date":"15 May 2026","externalUrl":null,"permalink":"/case-studies/s3-misconfiguration-still-top-risk-in-2026/","section":"Case Studies","summary":"A practical AWS case study showing how public S3 object access, weak regional data design, and missing safeguards can create both security and compliance problems for SaaS providers.","title":"S3 Misconfiguration Still Top Risk in 2026","type":"case-studies"},{"content":"","date":"15 May 2026","externalUrl":null,"permalink":"/tags/security-architecture/","section":"Tags","summary":"","title":"Security-Architecture","type":"tags"},{"content":"","date":"14 May 2026","externalUrl":null,"permalink":"/tags/audit-readiness/","section":"Tags","summary":"","title":"Audit-Readiness","type":"tags"},{"content":"","date":"14 May 2026","externalUrl":null,"permalink":"/tags/aurora/","section":"Tags","summary":"","title":"Aurora","type":"tags"},{"content":"","date":"14 May 2026","externalUrl":null,"permalink":"/tags/cost-optimization/","section":"Tags","summary":"","title":"Cost-Optimization","type":"tags"},{"content":" ✓ Human-authored analysis; AI used for formatting and proofreading Disclaimer: This is a case scenario based on common real SaaS environments, not a single specific client. It shows how I would approach an engagement with similar challenges.\nOverview # Company description: # Size: 200 employees\nProduct: Accounting services to both businesses and individuals\nType: SaaS\nCustomers size: Over 1 million customers in the US\nAge: 5 years (startup phase)\nDuring the early stages, the focus is more on delivery and shipping than compliance. Unfortunately, many engineering teams stop at 2FA and think that compliance issues are done. Compliance is often underestimated at this stage because the business is assessing whether they will survive or not.\nAuditors often have requirements that are strict which doesn’t always consider company’s current setup. This often causes teams to scramble to gather evidence and screenshots to fulfill those requirements. More often than not, this eats away time and resources and when it becomes a daily or weekly occurrence, this impacts company’s performance.\nOne of the issues that auditors usually flag as high priority is proving that users face no challenges or risks of requesting their data to be securely accessed or deleted even after 1 year.\nSituation and Challenges # It happens that some early providers may develop applications that run on-prem alongside a machine for the database which keeps growing over time. When the company finally decides to migrate their database of clients to the cloud, they simply create an EC2 instance with MySql and keep vertically scaling the machine to accommodate higher request volume.\nThe database could handle a huge number of requests, everything from logging in to bloated tables of when clients logged in and logged out as well as deletion requests.\nAnother requirement auditors often ask for is to keep track of who was granted access to the production database as well as service accounts that were used to handle automated tasks.\nOn top of that, companies receive an increasing number of complaints about the service being slow the end user begins noticing that simple tasks take a lot longer to finish. This can be temporarily solved by upgrading the storage being used by their EC2 from EBS gp3 (SSD) to EBS io2 (provisioned IOPS SSD).\nAfter few weeks, clients complaints drop and positive feedback improve. This may lead eventually for the new client’s base to increase by 10s of thousands of accounts when least expected. This would lead to AWS bill to exceed the budget prepared.\nMany of these issues have little to do with the auditors or their questions and more to do with very specific design issues and business decisions that lead to a snowball effect creating all of these problems.\nThis situation unfortunately is more common than you think. Most startups follow the MVP approach during early stages and their staff are overwhelmed due to the limited resources; so serious security and cloud expertise becomes more of an afterthought since at this phase, it’s about survival, not about the best design and this is normal and expected.\nConstraints # It’s easier said than done at this stage to say “Let’s just redesign the whole SaaS” but for a business handling millions of accounts across the United States, a small outage could raise serious problems or even hurt the company’s reputation and lead to penalties since they have their own SLA agreements with their clients.\nWe can’t simulate in a sandbox the deployment of a database with millions of accounts and expect that things will be as smooth in production.\nWe are also tempted to think about reducing the database’s size by removing inactive accounts. While this approach may seem legit, the problem is that the business expects people to access their accounts once per year and with unexpected accounting delays, their clients may go absent for over a year without accessing their account. Remember, the auditors on this engagement emphasized that the clients need to be able to access their data and account up to 10 years unless they explicitly delete their accounts.\nThe auditors were also concerned about multiple teams having access to the EC2 instance running the MySQL instance server without clear protocols or procedures on who can access what. They don’t have dedicated teams for each process.\nHow I’d approach it # Here is where IDEA comes to the rescue!\nIDEA is a 4 phase process to clean up the mess at any organization.\n1- Inventory and discovery\n2- Design (architecture and controls)\n3- Execute (implementation)\n4- Assure (evidence and continuous compliance)\nPhase 1: Inventory and Discovery # The first step to take, is not actually a step but rather turning on a flashlight because walking into the dark is not recommended.\nDuring this phase, we first need inventory the data as well as map the data flow. The data flow should be mapped from the collection/creation till destruction. Labeling the data is extremely important because we need to be able to tell which data needs proper protection.\nThere are tons of tools used for data discovery and classification but this doesn’t come without risks because running those tools is also going to task the infrastructure and if the tool is compromised, this would kill the very reason we use them.\nFirst, we survey the engineering teams to understand what data is being stored and we have a look at sample data in their database and the most important tables.\nThe survey will cover several areas such as the below:\nTeam \u0026amp; System Context\nData Stores \u0026amp; Locations\nData Types \u0026amp; Sensitivity\nData Lifecycle\nService Accounts \u0026amp; Automation\nPerceived Risks \u0026amp; Pain Points\nIn more complicated cases where for example, data maybe stored in unstructured or semi-structured manner and clients or customers are throwing everything there from their financial data to their dogs’ pictures, we would need to use AWS Glue.\nOnce we have the data classified and labeled as well as a clear picture of the data flow from collection till destruction, we can now move to phase 2 and see how we could optimize or improve the situation for the company.\nNote: The reason we begin with this step is because in many cases, the company may or may not be aware what kind of data is being stored and such discovery would help us later on figure out who should have access to what.\nPhase 2: Design: Architecture and Controls # For accessing the AWS console, the company uses a typical groups based IAM. Upon examining the groups structure they had, it turned out that they had multiple groups that gave access to EC2 instances which other staff and engineers didn’t actually need. This happened because all the software application and database related access in prod was put in a single group.\nThey integrated their company’s Active Directory to AWS to make sure that when staff left the company, they would also be de-provisioned on AWS. However, the major concern was that this process was not guaranteed to run immediately; so employees who quit the company or terminated were still active on AWS for up to 24 hours.\nBelow is how their IAM setup looks like:\n# BAD EXAMPLE – OVER‑PERMISSIVE, COARSE‑GRAINED GROUPS # 1) One big “prod” group that mixes app + DB + EC2 access aws iam create-group --group-name Prod-App-And-DB-Admins # Attach a broad policy that gives console + EC2 + RDS + S3 + CloudWatch access in prod aws iam attach-group-policy \\ --group-name Prod-App-And-DB-Admins \\ --policy-arn arn:aws:iam::aws:policy/PowerUserAccess # (PowerUserAccess is already very broad – this is the first red flag.) # 2) Re-using the same group for different roles (backend, frontend, ops, support) aws iam add-user-to-group --group-name Prod-App-And-DB-Admins --user-name backend-dev-1 aws iam add-user-to-group --group-name Prod-App-And-DB-Admins --user-name backend-dev-2 aws iam add-user-to-group --group-name Prod-App-And-DB-Admins --user-name frontend-dev-1 aws iam add-user-to-group --group-name Prod-App-And-DB-Admins --user-name data-analyst-1 aws iam add-user-to-group --group-name Prod-App-And-DB-Admins --user-name support-engineer-1 # 3) A second “EC2 maintenance” group that is ALSO too broad, # but some users are in both groups, effectively giving them wide access to prod hosts. aws iam create-group --group-name EC2-Maintenance-All-Prod aws iam attach-group-policy \\ --group-name EC2-Maintenance-All-Prod \\ --policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess aws iam add-user-to-group --group-name EC2-Maintenance-All-Prod --user-name backend-dev-1 aws iam add-user-to-group --group-name EC2-Maintenance-All-Prod --user-name ops-engineer-1 # 4) Simulating AD / SSO user provisioning # (conceptually: AD group “Prod-Staff” maps to this one big AWS IAM group) # In practice this is done via identity provider mapping rules, but the effect is: # - If you\u0026#39;re in the AD group, you land in a very powerful AWS group. # - Deprovisioning can lag up to 24 hours, so ex-employees can still assume these permissions. While their senior team members and staff engineers were aware of the concept or term Least Privilege Access, this wasn’t something they thought of at the beginning or during design phase because they were running in Extreme Programming agile methodology during the first 1-2 years to speed up the development process.\nPhase 3: Execution # After a conversation with the Engineering Director, I’d propose applying least access privilege policy company wide and obtain backing of leadership.\nOf course, we could not talk about least access privilege without talking about Role Based Access Controls. We have to define the roles and who does what and why.\nWe would perform an analysis over AWS CloudTrail events to determine which users accessed what and why or what commands they were running against which services.\nFrom there, we created a model of roles with separation of duties and dual controls on sensitive areas such as the AWS key management vaults.\nOnce this is approved, we would assign 2 admins to work together to strip and re-assign access during the hours of least activity (the weekend) with backup plans in case things went wrong.\nWhile implementing this fix, we didn’t touch any running components. It’s simply about addressing the access and security issues.\nThe final setup looked like this:\nBefore this would be rolled, we would invite a trusted auditor who would assess the risk of this change given the legacy setup.\nOnce the quarterly review period kicks off, we would present all the gains and wins accomplished within 2 months.\nThe overall, executive summary of the audit report was positive and favorable.\nThe next problem that is bleeding the company is the optimization problem.\nThe company setup before optimization was very simple. It looked like this:\nThe company didn’t particularly have any significant problems in terms of availability but the risk of things going wrong were very real.\nThey had regular backup processes and recovery procedures in case of an outage.\nThey had properly defined Business Continuity and Disaster Recovery process as well as RTO and RPO.\nHowever, due to their architecture, they had to do a lot of supervised tasks and processes to ensure that the database backup process was running properly which ate away resources from the company indirectly in terms of maintenance.\nWe identified several opportunities\nBottleneck 1: The Database running on EC2 # Instead of running their database on an EC2 instance, we decided to migrate their database to AWS Aurora V2 which can also run MySql. This was the most smooth transition possible as it requires little to no code changes except the applications’ connections destination and credentials.\nBy using AWS’s Data Migration Service, we let it run against the current database instance on EC2 for several days and it copies everything including ongoing operations such as insertions, updates and deletions.\nWe would get 2 massive wins here:\nNo code changes had to be made on services using the database except the path and credentials.\nGiven that AWS Aurora V2 is a server less, this means we no longer have to worry about scalability and availability. AWS Aurora V2 handles those questions on it’s own with almost near zero impact on performance.\nThe engineering teams no longer have to spend their weekends on backup tasks as those are also handled by AWS Aurora V2.\nBonus: Traceability and tracking of who has access to the database had been improved indirectly by this migration since access to the database doesn’t need to be managed manually like before on the EC2 instance. Instead, now we control who access the database via AWS’s roles and policies instead. Second, database logs can now be streamed via CloudWatch which makes them easier to search, monitor, and retain for audits.\nBottleneck 2: Huge amount of data on the databases # Now that we have safely moved our database from EC2 to Aurora V2, came the next bottleneck which is the amount of data which we don’t actually need to keep indefinitely.\nUpon further examination, the company chose to store logging activities into the database and considered it as meeting PCI DSS requirement which does require strong logging. However, those logs didn’t actually need to be stored in the database but instead, could have been shifted to much cheaper alternative such as S3 buckets.\nSo we would propose to the Devs team to change their applications to store those records instead in S3 bucket for each account in a simple CSV file.\nUpon further analysis, we saw that the number of E-discovery cases or legal holds was very rare beyond the period of 3 months.\nOnce the team configured their applications to begin storing account activities for auditing purposes in S3 instead of the database, we migrated all the old records stored in the database into S3 as well.\nWe configured S3 to use S3 Lifecycle configuration where data is moved after 2 years from Standard to S3 Glacier Instant Retrieval. We configured it to move data after 2.5 years of inactivity into S3 Glacier Flexible Retrieval which was perfect as both clients and third parties, didn’t mind waiting few days to retrieve very old data.\nWe would get here the following wins:\nThe cost of storing those logs was reduced by roughly 20% which was a significant win.\nEnabling versioning on S3 made the data also much more resilient to ransomware threats.\nBetter software development practices where we decoupled the auditing requirements from the main service so now the SaaS focuses more on serving clients instead.\nAfter those specific improvements, our architecture now looks like this:\nPhase 4: Assure: Evidence and Continuous Compliance # Throughout every project performed above, we followed an Agile approach after defining the KPIs and goals or wins at each phase.\nBefore each change, we conduct a meeting with the stakeholders and leadership to get a sign off as well as a simulated Business Recovery and Disaster Recovery plan for possible risks at each phase.\nThe process would take roughly 3 months.\nExpected Impact # Such cost optimizations save companies roughly 20-40% in terms of operations costs. The cost of deploying extra resources for investigations due to less than ideal setups as well as rushed design decisions can escalate over time and leads to both financial and even liability for the company in case of a data breach.\nNote: In the US, in some states, under specific sectors, there are regulations and notifications laws in case of breaches (impacting around 500 customers or more) that require reporting to both authorities and public (media).\nHow I can help # As a cloud security consultant and architect, I help SaaS teams like yours discover hidden risks, reduce audit headaches, and optimize AWS setup without interrupting performance. If this scenario feels familiar, let’s talk about where you are today and what a safer, more efficient architecture could look like for you.\nBook a short call.\nSend me a note\n","date":"14 May 2026","externalUrl":null,"permalink":"/case-studies/how-id-help-a-messy-mid-saas-company-pass-audit-without-slowing-performance/","section":"Case Studies","summary":"A hypothetical engagement showing how a growing SaaS company could improve audit readiness, tighten AWS access controls, migrate away from risky database patterns, and reduce operational drag without slowing performance.","title":"How I'd Help a Messy Mid SaaS Company Pass Audit Without Slowing Performance","type":"case-studies"},{"content":"","date":"14 May 2026","externalUrl":null,"permalink":"/tags/least-privilege/","section":"Tags","summary":"","title":"Least-Privilege","type":"tags"},{"content":"","date":"14 May 2026","externalUrl":null,"permalink":"/categories/saas/","section":"Categories","summary":"","title":"Saas","type":"categories"},{"content":"","date":"14 May 2026","externalUrl":null,"permalink":"/tags/saas/","section":"Tags","summary":"","title":"Saas","type":"tags"},{"content":" ✓ Human-authored analysis; AI used for formatting and proofreading Tokenization is the process of replacing sensitive data (PII, financial, etc…) with a token.\nTokens are generated using secure random generators so it is extremely difficult for an attacker to steal a token and reverse engineer it unless the random generator at the TSP side has a major vulnerability or misconfigured. Please note that token generation methods vary by TSP.\nThe benefit of storing tokens is that it reduces significantly the attack vector. The risk of a stolen credit card information far exceeds the cost of setting up the infrastructure and compute power needed to generate the tokens.\nIn practice, there are nowadays many providers such as Alipay, Google Pay, Samsung Wallet, etc… for such services.\nWhen a payer performs a transaction (using a terminal), the device transmits the DPAN (Device Primary Account Number), usually via NFC, along with other metadata over a protected channel to the Token Service Provider (TSP). On the provider’s side, the backend will de-tokenize the DPAN and forward a payment request to the issuing bank. Once the issuing bank authorizes the payment, a response is sent back to the merchant containing the tokenized transaction information which can be used for accounting purposes or handling disputes.\nThroughout the process, the merchant never has to collect or store sensitive information such as credit card numbers which significantly reduces compliance friction as well as overall costs.\nOf course, the communication is protected by transport security and payment network controls but merchants need to make sure that they are using secure devices since they are physically the single point of failure. However, the process is generally more secure than handling credit cards directly and reduces costs of disputes as well as insurance claims.\nThe process may seem simple, yet it’s actually very useful for merchants because merchants have less operational burdens to worry about since the cost of protecting credit card information and compliance can be very expensive especially for startups or small businesses.\nNote Please note that tokenization is nothing new. It is used not only for security and PCI compliance, but it’s used as well by many organizations when they have the flexibility to replace information they would have to invest time and money to protect with tokens.\nAs a Cloud Consultant, I help companies deal with similar PCI related problems they struggle with since there are over 200 requirements and sub-requirements under PCI DSS. The real challenge that companies face is figuring out whether the return of integrating those payment solutions justifies the cost; and sometimes, this comes as an answer after an unfavorable audit outcome regarding PCI compliance. When I engage with merchants, I help their teams quantify the costs and benefits by identifying potential revenue earned from clients who are accustomed to NFC payments vs. the cost of building and maintaining the infrastructure needed on their Backend using MVP approach first with Secure Development Life Cycles in mind.\nIf you’re considering integrating payment solutions or struggling with PCI requirements, you can learn more about my cloud and cybersecurity services in my bio or the link below. https://www.mousa-cloud.com\n","date":"11 May 2026","externalUrl":null,"permalink":"/case-studies/how-tokenization-reduces-merchants-pci-scope/","section":"Case Studies","summary":"A practical explanation of how tokenization reduces merchants’ PCI scope by limiting cardholder data exposure and shifting sensitive payment handling away from merchant systems.","title":"How Tokenization Reduces Merchants' PCI Scope","type":"case-studies"},{"content":"","date":"11 May 2026","externalUrl":null,"permalink":"/categories/payments/","section":"Categories","summary":"","title":"Payments","type":"categories"},{"content":"","date":"11 May 2026","externalUrl":null,"permalink":"/categories/security-architecture/","section":"Categories","summary":"","title":"Security-Architecture","type":"categories"},{"content":"","date":"11 May 2026","externalUrl":null,"permalink":"/tags/tokenization/","section":"Tags","summary":"","title":"Tokenization","type":"tags"},{"content":" Blog Launched # I\u0026rsquo;m happy to announce that Mousa Cloud Consulting now has a dedicated blog section for clients,peers and anyone interested in all topics related to cloud, cybersecurity as well as AI governance and security.\nI hope that this blog will help bring value or be a useful educational source for both students and working professionals.\nIf you have any questions, do not hesitate to use the contact form, and I\u0026rsquo;ll be happy to answer your questions.\n","date":"10 May 2026","externalUrl":null,"permalink":"/posts/blog-created/","section":"Posts","summary":"Mousa Cloud Consulting has launched its blog to share practical insights on cloud security, cybersecurity, and AI governance.","title":"Mousa Cloud Consulting Blog Launched","type":"posts"},{"content":"","date":"10 May 2026","externalUrl":null,"permalink":"/categories/news/","section":"Categories","summary":"","title":"News","type":"categories"},{"content":"This is a general stats page.\n","externalUrl":null,"permalink":"/stats/","section":"Mousa Cloud Consulting Blog | Cloud Security Expert","summary":"","title":"General Stats","type":"page"},{"content":"","externalUrl":null,"permalink":"/series/","section":"Series","summary":"","title":"Series","type":"series"}]