13 posts · RSS
← All postsPractical walk-through of AWS Security Maturity Model v2: 74 controls across four phases (Quick Wins, Foundational, Efficient, Optimized), real ordering, traps, and Org mapping....
KhaVan DLP deep-dive for Cloudflare One: tuning from 55% to 3% false positives, regex vs Luhn vs context vs EDM, custom CCCD profile, Gateway HTTP inline vs CASB API....
KhaVan CASB deep-dive for Cloudflare One from 3 rollouts: the 4 Gartner pillars, inline vs API, 8,000-finding first-scan shock, shadow IT, tenant-lock, when not to use CASB....
KhaVan Browser Isolation deep dive for Cloudflare One: remote browser architecture (NVR), isolation triggers, data controls (copy/paste/print/download/keyboard), compliance, cost model....
KhaVan Device posture deep dive for Zero Trust: WARP checks (OS, disk encryption, firewall), EDR integration, continuous verification in Access policy, and response to posture loss....
KhaVan DEX deep dive for Cloudflare One: when control plane says UP but users say SLOW, latency-leg diagnosis (DNS/TCP/TLS/TTFB), SLO framework, and 5 failure modes DEX misses....
KhaVan Network policy deep dive: blocking non-HTTP (SSH, RDP, SMTP), preventing DoH bypass, app rules for SaaS, WARP keeping user traffic on Gateway, prod checklist, hardening playbook....
KhaVan Gateway DNS deep dive: resolver architecture, policy order, DoH per-device vs DNS location per-site, threat categories, custom lists, OS bypasses, SIEM pipeline, prod checklist....
KhaVan A framework for reasoning about every Cloudflare One feature: every request traverses four layers producing signals, and policy yields one of five outcomes. Rollout and debugging....
KhaVan Four terms routinely conflated in RFPs, design docs, and vendor marketing. Their scope, when Gartner/Forrester defined them, how to use each correctly, and a decision tree....
KhaVan A practical overview of Cloudflare One: SASE, SSE, Zero Trust, the six main product groups, how it compares to Zscaler and Netskope, and the mental model to have before deployment....
KhaVan Workload Identity Federation deep dive: why Service Account Keys are anti-pattern, AWS STS → Google STS exchange, attribute mapping, impersonation, threat model, Terraform....
KhaVan What actually worked, what didn't live up to expectation, and the operational lessons from rolling out Cloudflare Zero Trust across an organisation of thousands....
KhaVan AI answers grounded in ~75 published posts with citations. Ask about Cloudflare, AWS, Zero Trust, cloud security.
