Cloud Security
Identity-first guardrails for AWS & Azure. Reduce blast radius, protect data, and keep developers fast — with evidence you can audit.
Controls Framework
- Orgs/Policies, SCPs/deny-by-default, enforced MFA.
- Federated SSO, least-privilege roles, right-sizing, break-glass rotation & logs.
- Zero-trust segmentation, private endpoints, WAF/DDoS, strict egress.
- Service auth mTLS/OIDC; secrets via KMS/Key Vault.
- Encryption in transit/at rest; key lifecycle & rotation; envelope encryption.
- Classification & residency policies aligned to POPIA.
- Hardened images; EDR; container/IaC scanning; signed artifacts; drift detection.
- CloudTrail/Activity Logs → SIEM; detective controls; evidence mapped to CIS/NIST/ISO/POPIA.
- IR playbooks per service; ring-fenced forensics; immutable backups; tabletops.
Evidence & Audit
| Control Area | Evidence We Produce | Cadence |
|---|
| Identity | Role inventory, unused-perm diffs, MFA coverage | Monthly |
| Network | Ingress/egress allow lists, private endpoint coverage | Monthly |
| Data | Classifications, key rotation logs, residency hits | Quarterly |
| Workloads | Baseline drift, image provenance, CVE burn-down | Monthly |
| Backups/IR | Restore tests, RTO/RPO, tabletop outcomes | Quarterly |
Engagement Packages
Baseline Sprint (2–4 weeks)
- Org guardrails, MFA, logging, top-3 risks closed.
- Evidence pack v1 + drift monitoring on.
Operate & Assure
- Drift response, monthly evidence, posture reviews with exec pack.
Outcome Add-ons
- Container signing, secrets rotation, backup immutability tests, PAM integration.
How We Land It
- Diagnose: bills, logs, IAM graph, egress map, backup health.
- Design: venue-neutral options; control set with trade-offs.
- Do: top-value controls first; CI/CD gates & images updated.
- Drive: reviews, drift MTTR, evidence cadence.
