Stockholm & Tallinn - 2022

This is part three of Baltic Adventures. Part One captured the chaos of post-pandemic travel and our bonus tour of Amsterdam. Part two covered our four days in Finland. This part covers our time in Stockholm and Tallinn and the trip home. We boarded our cruise line from Helsinki to Stockholm a little before 4 pm (about an hour and a half from departure time). Our family room consisted of four bunk beds.

Finland - 2022

This is part two of Baltic Adventures. Part One captured the chaos of post-pandemic travel and our bonus tour of Amsterdam. This post will cover our 4 days in Finland. Our original plan had us taking an easy first day in Helsinki, maybe doing a simple canal cruise. The delay getting to Helsinki meant we didn’t get the down day. Instead, we got up the next morning to get the rental car.

Adventures in post-pandemic travel

This will be the first in a series of travel-related posts. I found a distinct lack of information on the internet about some specific logistical things around international travel. I hope these posts are useful to whoever finds them via some Google-fu. This summer, myself, my wife, and the 10-year-old are on a three-country, four-city tour of the Baltics. We picked this itinerary because 1) we found a good price on Delta One, and 2) at the time we booked it, we wanted to visit some countries that geopolitical affairs might make impossible in the future.

Ghost of CloudSec Yet to Come

A cheerful ghost of cloud security yet to come. I’ll talk about where CloudSec really needs to focus - on the pipeline and ultimately on the cloud developer or engineer. Finally, I’ll close out with a one-year roadmap for how I’d build a third (fourth) program if I’m crazy enough to do this again at my next job.

The Philosphy of Prevention

Following up on the Tar-Pit of CSPM, I feel the need to offer something more constructive for CloudSecurity practitioners to do. Cloud Security Posture Monitoring is “here’s a spreadsheet of issues, go fix them”. There are other ways, but none of them are a panacea. (Adding a link to Part III Ghost of CloudSec Yet to Come covering IAC Scanning, User Awareness, and a roadmap on building a CloudSec Program)

The Tar Pit of CSPM

It’s been a little less than five years since I moved from a media production cloud nerd to a cloud security nerd. As I ponder what I’m going to do next, I want to reflect on some of the things I got right and some that didn’t work out as expected. [ Update I use the term CSPM but never officially define it. In this case, I’m using it to mean Cloud Security Posture Monitoring - there are some who define CSPM and Cloud Security Posture Management, but this post is about detecting issues, not fixing them.

SECCDC 2022 - The Rise of Fooli

The Southeast Collegiate Cyber Defense Competition is an annual competition where eight teams from various colleges have to defend their systems from Red Team attacks while also executing on management-type business challenges. This is my second year helping Kennesaw State University run the SECCDC in AWS. This year we not only ran the Regional competition on-site at KSU, but we also hosted 26 teams for the preliminary round. In previous years the scenario was HALCORP, a fictional company that did nothing but generate compliance paperwork.

SES to Slack

As part of my work setting up free domains in Google, I realized I needed a way to receive email. My normal process for getting emails on secondary domains I own was to add them as a User Alias Domain attached to However, for these Google Cloud Identity domains I couldn’t do that. A domain can’t be both it’s own Cloud Identity domain, and a User Alias Domain. So I started experimenting with AWS SES.

Creating your first GCP Organization

Note: this is the first in what I hope will become a series of GCP Security 101 posts. Most cloud governance or cloud security folks have never created a Google Organization from scratch. Typically you come into an organization that has already implemented some form of Google. Most likely, that implementation was organic. There was no planning, no design, it’s was just there. I’ve also found that cloud engineers typically only have access to https://console.