Peter's Griddle

What is the problem with the image that Zero Trust based information security brings along? Once you understand the principles, and they are not really difficult, it is obvious that only ZT can lead us to a more secure cyber future. So, what is holding us back? Here are some of the misconceptions: “It is a boatload of work, so let’s not start.” Truth: yes, fully securing your IT with all its technical debt is a boatload of work. That is exactly the reason why you need ZT, so that you know where you can get started quickly, and be more secure before the last hole is plugged. ...

This is the dawn of a new age. I have been observing software development for more than fifty years, ever since I wrote my first computer program. In that entire time, I have never witnessed a development that has changed the profession deeper, faster, or more pervasively than now. AI-assisted coding has escaped from the lab, and is impacting the work of every software developer. In the communities I track I hear stories of software engineers regret taking a single week of vacation because of the innovations that they now have to catch up to. ...

If you build software for a living, generative AI may be a scary development, as it has the potential to take over a lot of software creation. But I think it depends on what you see as the job of creating software. A coder in the world of IT is somebody who writes code in some programming language. More typically they modify code instead of writing it from scratch. This is in response to bugs, feature requests, and so on. In the age of AI, a lot of coding can be automated. We have seen many examples of AI generating lots of code based on fairly compact specifications. ...

Here is the story of how I started to use AI to help with running and securing my home network. I call it vibe ops, in analogy to vibe programming. This post is going to be obsolete very soon, even though it is already the second version … My home network plays an additional role as a nice lab, and in the process of better securing it, preferably with Zero Trust Architectures, I am doing some experiments. ...

‘But where do we start?’ The question hung in the air of my training session, asked by many of the attendants. Mind you, these are experienced people with many years of cyber security experience. But turning Zero Trust from an abstract concept into concrete action? That’s where everyone gets stuck. I know that feeling well. Years ago, I joined my first Zero Trust working group, swimming in a sea of frameworks, agency guidelines, and vendor whitepapers. I even had the privilege of attending sessions with John Kindervag, the father of Zero Trust himself. Yet the gap between theory and implementation remained stubbornly wide. ...

The security of your SaaS cloud solutions starts with the review of three major areas. Practically all companies are using SaaS providers in one way or another. SaaS includes Services such as Trello for project management, Microsoft 365, and e.g. specialized solutions for marketing intelligence services. The sky is the limit. Most companies using are using hundreds of SaaS solutions. Here are 3 tips to start with. Maturity match The first thing to worry about is if the maturity of the provider matches your risk appetite. Are they good enough for your use case? If you are working with a mission-critical SaaS solution, you want to make sure that the provider is mature. You can start finding out if that is the case is by looking at their certifications. An example could be the ISO 27000 series certification for IT risk management, or similar. Most mature cloud providers have dozens of certifications. On the other end of the spectrum, you may want to work with a provider that is not so mature, but that is delivering a very innovative solution of great business benefit to your company. That benefit, that competitive edge, may warrant a greater risk appetite. So start with that maturity match first. ...

“Project Zero Trust” is a business novel by George Finney. It talks about an emerging approach to IT and Cybersecurity that attempts to reduce cyberrisk in a more fundamental way. Zero Trust is a bit of a hype in IT these days, and both product companies and knowledge agencies are dropping lots of papers on this. But this book is in another game. What I like about it is that it paints a reasonably realistic picture of a modern enterprise, including the information technology choices that it makes. This serves as a good backdrop to a variety of Zero Trust initiatives, which are described in a bit of detail. As an instructor I find that most of the vendor neutral training material out there lacks specific examples. This makes it hard for students to anchor the abstract concepts that they are fed to a realistic environment with some resemblance to their job situation. ...

What are the real challenges in cloud security these days? In my recent conversations with industry practitioners, one came up consistently: the lack of knowledge and skills to adopt cloud securely. These gaps are slowing down how teams build, manage and secure their cloud environments, and they may be affecting your teams as well. Provider specific technical expertise Many IT professionals attempt to transfer their on-premises security knowledge directly to cloud. But this often leads to ineffective and hard to maintain solutions. A technical example is insisting on traditional firewall architectures. These are hard to implement right in the cloud and can lead to less secure deployments than are possible with cloud native architectures. One set of skills that is relevant to addressing this is understanding what features a specific cloud provider has for building a secure architecture. There are many courses available from the providers, even free ones, though it can sometimes be a bit challenging to select the correct ones. However, without understanding how abstraction and automation change the IT security game, these technical skills will not result in more efficiency. And without more efficiency security efforts will be outpaced by the speed of new developments. ...

Model Context Protocols (MCP, see my post on their security) are the new glue between humans, chatbots, and old school IT. Here is the step by step approach that I followed to ‘vibe code’ a Model Context Protocol server for my CRM and mailing list manager. I journaled this description, so I have included most of the detours and false starts. For readability, I edited the description later, but the flow is as I went through it. ...

If you are in security and not fully on top of AI risk, you want to look at MCP now, as this is going to be popular and risky. Reach out to your development teams and beyond to offer your help in using them wisely, even if you know nothing about them yet. MCP, Model Context Protocol, was introduced in November 2024 as a standardised way to feed AI chatbots with extra information. You can extend Claude or OpenAI desktop with MCP servers, which are basically small programs that run on the desktop and have access to all information and services that the user has. ...