Built a Zero Trust device onboarding pipeline using MDM, a NAC proxy, and SCEP.

The Napkin Architecture Series - Device Onboarding with SCEP and NAC

Solved the "Secret Zero" Problem with Jenkins, Ansible, and Vault

The Napkin Architecture Series - Secret Zero, Jenkins, Ansible, and Vault

A quick look at database security architectures, contrasting the middleware pattern of AWS RDS Proxy with the client-side approach of Tencent Cloud CAM.

A Tale of Two Clouds - AWS RDS Proxy vs. Tencent Cloud CAM

Stop using hard-coded tokens like it's 2007: A deep dive into securing microservices with OAuth 2.0 Client Credentials and the magic of JWKS key rotation.

Stop Hand-Crafting Tokens

Learn how to use S3 Presigned URLs to securely share private files without ever making your bucket public.

Stop Making Your S3 Buckets Public! A Guide to Presigned URLs

This hands-on guide walks you through setting up Kerberos and LDAP on Ubuntu to achieve secure, password-free database access for service accounts, inspired by real-world practices at Uber.

InfoSec Architect 102-Service Accounts in the Linux Universe

This post uses a hands-on Go demo to show how SPIFFE/SPIRE automates Zero Trust security for gRPC microservices.

From Zero to Zero Trust: Securing Microservices with SPIFFE (The Fun Way!)

Why fundamental digital principles are as invisible (and essential) as the laws of physics.

Hacker and Physicist - A Tale of "Common Sense"

This post explores how WeChat's PhxSQL uses the "Fastest Majority" principle to offer a timeless lesson in designing fast and resilient distributed database systems.

A Look Back at WeChat's PhxSQL and the 'Fastest Majority'

This is a therapy session for anyone traumatized by fragile scripts. I traded my `cron/try/catch` nightmares for a robot project manager named Temporal.

An InfoSec Architect's First Taste of Temporal

a.k.a. I wrote a Raft cluster in Go and accidentally learned a lot

Consensus Algorithms Through the Eyes of an Infosec Architect

Service accounts may sound boring, but they’re the unsung heroes of secure automation. In this post, we time-travel back to the prehistoric age of Windows domains to see how service accounts and Kerberos work together to avoid hardcoded passwords and security nightmares.

InfoSec architect 101-Service account from prehistory

Sharing my exam prep insights and key technical focus areas like IAM, KMS, and VPC to help others prepare for the AWS Security Specialty exam.

AWS Security Specialty: What I Learned Preparing for the Exam

Explore envelope encryption and its importance for cloud security, using AWS Key Management Service (KMS) and OpenSSL to protect sensitive data.

Envelope Encryption: Boosting Cloud Security with KMS

Discover how to use Terraform and AWS Key Management Service (KMS) to encrypt DynamoDB tables and enhance cybersecurity.

Encrypting DynamoDB with AWS KMS: A Secure and Easy Guide

Discover the significance of bastion hosts in cloud security and learn how to set up a secure gateway using Terraform in AWS, ensuring protection for private resources while reducing the attack surface area.

Bastion Hosts: Safeguarding Your Cloud Resources

Exploring the nuances of Attribute-based Access Control (ABAC) and Role-based Access Control (RBAC) in cloud security using Terraform, and understanding their strategic implementation in managing AWS tagged resources.

ABAC and RBAC: A Journey with Terraform and AWS Tagged Resources

A practical (and funny) guide to implementing a split-privilege model in AWS. We'll separate the power to create permissions from the power to assign them, making your cloud a whole lot safer.

An IAM Split-Privilege Model with Terraform for Robust Cybersecurity

An old-timer's guide to using Terraform to manage who gets to touch what in your AWS account. Learn about IAM users, policies, groups, and roles without falling asleep.

Harnessing AWS IAM and Terraform for Enhanced Cybersecurity

An old-timer's take on why managing cloud infrastructure by hand is a security nightmare, and how Terraform can save your bacon.

Latest

The Napkin Architecture Series - Device Onboarding with SCEP and NAC

The Napkin Architecture Series - Secret Zero, Jenkins, Ansible, and Vault

A Tale of Two Clouds - AWS RDS Proxy vs. Tencent Cloud CAM

Stop Hand-Crafting Tokens

Stop Making Your S3 Buckets Public! A Guide to Presigned URLs