Peter's Griddle

‘But where do we start?’ The question hung in the air of my training session, asked by many of the attendants. Mind you, these are experienced people with many years of cyber security experience. But turning Zero Trust from an abstract concept into concrete action? That’s where everyone gets stuck. I know that feeling well. Years ago, I joined my first Zero Trust working group, swimming in a sea of frameworks, agency guidelines, and vendor whitepapers. I even had the privilege of attending sessions with John Kindervag, the father of Zero Trust himself. Yet the gap between theory and implementation remained stubbornly wide. ...

The security of your SaaS cloud solutions starts with the review of three major areas. Practically all companies are using SaaS providers in one way or another. SaaS includes Services such as Trello for project management, Microsoft 365, and e.g. specialized solutions for marketing intelligence services. The sky is the limit. Most companies using are using hundreds of SaaS solutions. Here are 3 tips to start with. Maturity match The first thing to worry about is if the maturity of the provider matches your risk appetite. Are they good enough for your use case? If you are working with a mission-critical SaaS solution, you want to make sure that the provider is mature. You can start finding out if that is the case is by looking at their certifications. An example could be the ISO 27000 series certification for IT risk management, or similar. Most mature cloud providers have dozens of certifications. On the other end of the spectrum, you may want to work with a provider that is not so mature, but that is delivering a very innovative solution of great business benefit to your company. That benefit, that competitive edge, may warrant a greater risk appetite. So start with that maturity match first. ...

“Project Zero Trust” is a business novel by George Finney. It talks about an emerging approach to IT and Cybersecurity that attempts to reduce cyberrisk in a more fundamental way. Zero Trust is a bit of a hype in IT these days, and both product companies and knowledge agencies are dropping lots of papers on this. But this book is in another game. What I like about it is that it paints a reasonably realistic picture of a modern enterprise, including the information technology choices that it makes. This serves as a good backdrop to a variety of Zero Trust initiatives, which are described in a bit of detail. As an instructor I find that most of the vendor neutral training material out there lacks specific examples. This makes it hard for students to anchor the abstract concepts that they are fed to a realistic environment with some resemblance to their job situation. ...

What are the real challenges in cloud security these days? In my recent conversations with industry practitioners, one came up consistently: the lack of knowledge and skills to adopt cloud securely. These gaps are slowing down how teams build, manage and secure their cloud environments, and they may be affecting your teams as well. Provider specific technical expertise Many IT professionals attempt to transfer their on-premises security knowledge directly to cloud. But this often leads to ineffective and hard to maintain solutions. A technical example is insisting on traditional firewall architectures. These are hard to implement right in the cloud and can lead to less secure deployments than are possible with cloud native architectures. One set of skills that is relevant to addressing this is understanding what features a specific cloud provider has for building a secure architecture. There are many courses available from the providers, even free ones, though it can sometimes be a bit challenging to select the correct ones. However, without understanding how abstraction and automation change the IT security game, these technical skills will not result in more efficiency. And without more efficiency security efforts will be outpaced by the speed of new developments. ...

Model Context Protocols (MCP, see my post on their security) are the new glue between humans, chatbots, and old school IT. Here is the step by step approach that I followed to ‘vibe code’ a Model Context Protocol server for my CRM and mailing list manager. I journaled this description, so I have included most of the detours and false starts. For readability, I edited the description later, but the flow is as I went through it. ...

If you are in security and not fully on top of AI risk, you want to look at MCP now, as this is going to be popular and risky. Reach out to your development teams and beyond to offer your help in using them wisely, even if you know nothing about them yet. MCP, Model Context Protocol, was introduced in November 2024 as a standardised way to feed AI chatbots with extra information. You can extend Claude or OpenAI desktop with MCP servers, which are basically small programs that run on the desktop and have access to all information and services that the user has. ...

How does vibe coding work in the real? Vibe coding is having AI write your software. Coined by Andrej Karpathy, the hype is all over the map, with companies that are rethinking their hiring strategies for programmers. Sounds like disaster for software engineers and programmers. Not so fast. Curious to learn more about it, I reached out to an old friend who is an experienced software engineer. He was a co-founder in a SaaS company in the monitoring space. After a successful exit he now has a bit more time to pursue hobbies. But he is still professionally busy. ...

Het nationale sentiment is negatief over de afhankelijkheid van ‘big tech’. Overheidsdata staat in een Amerikaanse cloud, we hebben geen eigen sociaal netwerk, enzovoort. En vergelijkbare sentimenten spelen bij andere organisaties. Terecht wordt daarom nu op overheidsniveau een initiatief in gang gezet om wat aan die afhankelijkheid te doen. Dit initiatief staat ook bekend als Cloud Kootwijk. Maar met een motie in de Kamer zijn we er nog niet. Emoties zijn vaak een goede indicator, maar geen goede inhoudelijke analyse. Ze leiden daarom nog wel eens tot beslissingen die onhandig, of zelfs contraproductief uitpakken. Hier legt de emotie wantrouwen bloot, maar waar die zich op richt moet een analyse uitwijzen. ...

Five elements of cloud security Historically, IT security started with infrastructure security. Just protecting the data center was good enough. But that was before we had data communications. When data started to escape the confines of the data center we needed to protect it. Typically through encryption. Hence we need data security. As the world wide web developed, we saw applications being exposed to it, and frankly, be vulnerable. So that is when application security started to become more important. ...

How cool would it be to let an AI do some of the grunt work in analysing the risk of applications and services. This has the potential to speed up the work of risk assessors. But, does it work in practice? Well, here is an example of AI-assisted risk classification. I downloaded some of the entries in the Dutch algorithm register, which is a public register of systems that use algorithms. For each entry about 30 fields are available, including name, classification, owner, et cetera. Some of the systems in the registry are AI-based. Indeed, we have AI to help check on AI… ...