Zero Trust — Things Worth Sharing

Zero Trust — Things Worth SharingPosts tagged Zero Trust.https://cloudsecop.net/AWS Security Maturity Model v2: 4 phases in practicehttps://cloudsecop.net/en/blog/aws-security-maturity-model-v2-en/https://cloudsecop.net/en/blog/aws-security-maturity-model-v2-en/Practical walk-through of AWS Security Maturity Model v2: 74 controls across four phases (Quick Wins, Foundational, Efficient, Optimized), real ordering, traps, and Org mapping.Wed, 23 Jul 2025 00:00:00 GMTAWSCloud SecuritySecurity MaturityGovernanceZero TrustKhaVanDLP — patterns, classification, and the 55% false positivehttps://cloudsecop.net/en/blog/dlp-data-loss-prevention/https://cloudsecop.net/en/blog/dlp-data-loss-prevention/DLP deep-dive for Cloudflare One: tuning from 55% to 3% false positives, regex vs Luhn vs context vs EDM, custom CCCD profile, Gateway HTTP inline vs CASB API.Fri, 04 Jul 2025 00:00:00 GMTCloudflareCloudflare OneDLPData ClassificationZero TrustKhaVanCASB: SaaS posture for Google Workspace, M365, Salesforcehttps://cloudsecop.net/en/blog/casb-saas-posture/https://cloudsecop.net/en/blog/casb-saas-posture/CASB deep-dive for Cloudflare One from 3 rollouts: the 4 Gartner pillars, inline vs API, 8,000-finding first-scan shock, shadow IT, tenant-lock, when not to use CASB.Thu, 26 Jun 2025 00:00:00 GMTCloudflareCloudflare OneCASBSaaS SecurityZero TrustKhaVanBrowser Isolation (RBI) — rendering risky web in a remote sandboxhttps://cloudsecop.net/en/blog/browser-isolation-deep-dive/https://cloudsecop.net/en/blog/browser-isolation-deep-dive/Browser Isolation deep dive for Cloudflare One: remote browser architecture (NVR), isolation triggers, data controls (copy/paste/print/download/keyboard), compliance, cost model.Sun, 15 Jun 2025 00:00:00 GMTCloudflareCloudflare OneBrowser IsolationRBIZero TrustKhaVanDevice posture and continuous verification: every requesthttps://cloudsecop.net/en/blog/device-posture-every-request/https://cloudsecop.net/en/blog/device-posture-every-request/Device posture deep dive for Zero Trust: WARP checks (OS, disk encryption, firewall), EDR integration, continuous verification in Access policy, and response to posture loss.Wed, 11 Jun 2025 00:00:00 GMTCloudflareCloudflare OneZero TrustDevice PostureEDRKhaVanDEX — Digital Experience Monitoring: reactive to SLOshttps://cloudsecop.net/en/blog/dex-experience-monitoring/https://cloudsecop.net/en/blog/dex-experience-monitoring/DEX deep dive for Cloudflare One: when control plane says UP but users say SLOW, latency-leg diagnosis (DNS/TCP/TLS/TTFB), SLO framework, and 5 failure modes DEX misses.Tue, 03 Jun 2025 00:00:00 GMTCloudflareCloudflare OneDEXObservabilityZero TrustKhaVanNetwork policy L4 — blocking non-HTTP, DoH bypass, and app ruleshttps://cloudsecop.net/en/blog/network-policy-l4/https://cloudsecop.net/en/blog/network-policy-l4/Network policy deep dive: blocking non-HTTP (SSH, RDP, SMTP), preventing DoH bypass, app rules for SaaS, WARP keeping user traffic on Gateway, prod checklist, hardening playbook.Mon, 19 May 2025 00:00:00 GMTCloudflareCloudflare OneGatewayNetworkingZero TrustKhaVanGateway DNS filtering — the first layer of a Secure Web Gatewayhttps://cloudsecop.net/en/blog/gateway-dns-policies/https://cloudsecop.net/en/blog/gateway-dns-policies/Gateway DNS deep dive: resolver architecture, policy order, DoH per-device vs DNS location per-site, threat categories, custom lists, OS bypasses, SIEM pipeline, prod checklist.Sat, 03 May 2025 00:00:00 GMTCloudflareCloudflare OneGatewayDNSZero TrustKhaVanThe four-layer mental model — Client, Identity, Policy, Resourcehttps://cloudsecop.net/en/blog/client-identity-policy-resource-mental-model/https://cloudsecop.net/en/blog/client-identity-policy-resource-mental-model/A framework for reasoning about every Cloudflare One feature: every request traverses four layers producing signals, and policy yields one of five outcomes. Rollout and debugging.Sat, 08 Feb 2025 00:00:00 GMTCloudflareCloudflare OneZero TrustArchitectureKhaVanSASE, SSE, Zero Trust, ZTNA: getting the terminology righthttps://cloudsecop.net/en/blog/sase-sse-zero-trust-terminology/https://cloudsecop.net/en/blog/sase-sse-zero-trust-terminology/Four terms routinely conflated in RFPs, design docs, and vendor marketing. Their scope, when Gartner/Forrester defined them, how to use each correctly, and a decision tree.Fri, 31 Jan 2025 00:00:00 GMTCloudflareCloudflare OneSASESSEZero TrustKhaVanWhat is Cloudflare One, and why SASE mattershttps://cloudsecop.net/en/blog/what-is-cloudflare-one/https://cloudsecop.net/en/blog/what-is-cloudflare-one/A practical overview of Cloudflare One: SASE, SSE, Zero Trust, the six main product groups, how it compares to Zscaler and Netskope, and the mental model to have before deployment.Thu, 23 Jan 2025 00:00:00 GMTCloudflareCloudflare OneSASEZero TrustKhaVanWorkload Identity Federation AWS to GCP: keyless authhttps://cloudsecop.net/en/blog/cross-cloud-workload-identity-federation/https://cloudsecop.net/en/blog/cross-cloud-workload-identity-federation/Workload Identity Federation deep dive: why Service Account Keys are anti-pattern, AWS STS → Google STS exchange, attribute mapping, impersonation, threat model, Terraform.Wed, 08 Jan 2025 00:00:00 GMTCloud SecurityAWSGCPIdentity FederationMulti-CloudZero TrustKhaVanNotes from three months of rolling out Zero Trusthttps://cloudsecop.net/en/blog/zero-trust-rollout-notes/https://cloudsecop.net/en/blog/zero-trust-rollout-notes/What actually worked, what didn't live up to expectation, and the operational lessons from rolling out Cloudflare Zero Trust across an organisation of thousands.Sun, 08 Dec 2024 00:00:00 GMTSecurityZero TrustCloudflareKhaVan