80% of organisations experienced a cloud security incident last year. Misconfigurations account for nearly 40% of breaches. Non-human identities outnumber humans 45-to-1. The reports are loud and clear, but they're written for companies with dedicated SOCs and six-figure tooling budgets. What about the rest of us?
I run security for a 25-person SaaS company. No SOC, no CNAPP platform, no dedicated security team. Just me. This talk is the honest version of what securing a distributed system on AWS and Kubernetes actually looks like at that scale. I'll cover the three things that moved the needle most: getting cloud posture right with the security tools AWS already gives you but most teams never turn on, locking down identity and access so overprivileged service accounts stop being your biggest attack surface, and building compliance into your workflow so ISO 27001, GDPR and SOC2 stop being a yearly fire drill.
If you're a developer, architect, or team lead at a company that isn't Google and you know your security posture needs work but don't know where to start, this one's for you.