https://davyhua.com/tags/soc2/ Recent content in SOC2 on Davy Hua | Security & Cloud Infrastructure Operations Hugo en-us Thu, 30 Mar 2023 00:00:00 +0000 https://davyhua.com/blog/security-challenges-in-cloud-native-environments/ Thu, 30 Mar 2023 00:00:00 +0000 https://davyhua.com/blog/security-challenges-in-cloud-native-environments/ <h1 id="cloud-native-security-where-things-actually-go-wrong">Cloud-native security: where things actually go wrong</h1> <p>Cloud-native didnt make security harder.</p> <p>It made it faster to fail.</p> <p>Microservices, Kubernetes, CI/CD, managed services, all great.</p> <p>But they amplify the same old problems:</p> <ul> <li>unclear ownership</li> <li>bad access discipline</li> <li>no visibility when it matters</li> <li>compliance as paperwork</li> </ul> <p>Here are the security failures I see most often in cloud-native DevOps environments, and what to do about them.</p> <h2 id="1-you-dont-know-what-you-have-visibility-is-missing">1) You don&rsquo;t know what you have (visibility is missing)</h2> <p>If you can&rsquo;t answer these in 30 seconds, you&rsquo;re flying blind:</p> https://davyhua.com/blog/cloud-security-compliance/ Sat, 25 Mar 2023 00:00:00 +0000 https://davyhua.com/blog/cloud-security-compliance/ <h1 id="cloud-compliance-stop-treating-audits-like-a-seasonal-panic">Cloud compliance: stop treating audits like a seasonal panic</h1> <p>Most compliance pain isn&rsquo;t caused by auditors.</p> <p>It&rsquo;s caused by teams trying to reconstruct reality six months later.</p> <p>Cloud compliance gets easier when you accept one rule:</p> <blockquote> <p>Audits are evidence problems.</p> </blockquote> <p>Not policy problems.</p> <p>Not tool problems.</p> <p>Evidence problems.</p> <h2 id="what-compliance-actually-requires">What compliance actually requires</h2> <p>Whether it&rsquo;s HIPAA, PCI DSS, GDPR, SOC 2, the themes repeat:</p> <ul> <li>control access</li> <li>protect data</li> <li>log activity</li> <li>manage change</li> <li>prove you did the above</li> </ul> <p>If you can&rsquo;t prove it, it doesn&rsquo;t count.</p>