Viewing entries tagged
cybersecurity

Comment

When AWS Goes Down, Everyone Feels It: Inside the Business Fallout of Today’s Outage

By David Glenn | SecurityJabber.com

When Amazon Web Services (AWS) sneezes, the internet catches a cold.
Today, it caught the flu.

A sweeping AWS outage on Monday morning disrupted major digital infrastructure across the U.S. and beyond — impacting Netflix, Slack, Fortnite, Roblox, and even Wordle, according to TechRadar’s live coverage and Tom’s Guide’s update feed.

For millions of users, it was another Monday morning reminder that “the cloud” isn’t a celestial concept — it’s someone else’s computer, and sometimes that computer goes down.

While gamers flooded social platforms demanding answers, enterprise operations teams were left scrambling as authentication systems, applications, and backend processes went offline — proving once again how deeply modern business depends on one provider’s uptime.

The Business Cost of Cloud Fragility

Industry analysts warn that the cost of downtime continues to increase annually and doesn’t show signs of slowing down in the cloud era. For businesses whose services depend entirely on cloud infrastructure, lost transactions, customer churn, SLA violations, and reputation damage can push losses into the millions per hour.

For modern enterprises, it’s not just downtime — it’s business downtime. The difference is the scale.

When infrastructure-as-a-service halts, the effects aren’t isolated — they cascade.

Think about it:

  • Manufacturers can’t access digital twins or ERP systems.

  • Hospitals lose access to analytics dashboards and patient portals.

  • Banks face authentication delays that trigger compliance red flags.

And because most organizations host both production and identity systems in the same cloud, a single regional failure can freeze operations from end to end.

That’s not just downtime — it’s digital paralysis.

What Today’s Outage Really Exposed

Outages like this aren’t new, but the impact has changed.
Five years ago, cloud failures were inconvenient. Today, they’re existential.

Most companies have excellent cybersecurity tools, yet few have true operational resilience.
The difference is simple: cybersecurity protects you from attacks — resilience protects you from everything else.

Today’s AWS incident underscored several weak points that organizations often overlook:

  1. Single-Cloud Dependency
    Relying on one provider for both operations and authentication creates a systemic risk few companies model effectively.

  2. Identity Fragility
    If your single sign-on or MFA system depends on the same infrastructure that’s down, your workforce is locked out.

  3. Visibility Gaps
    Monitoring tools hosted within the affected environment can’t alert you to problems — precisely when you need them most.

  4. Vendor Interdependencies
    SaaS, DNS, and CDN providers often sit on the same cloud backbone, magnifying impact when it fails.

What Organizations Should Be Doing Now

You can’t control AWS uptime, but you can control how your organization responds to it.

Here’s how leading companies are fortifying their operations:

1. Build for Cloud Independence

Design your systems with multi-cloud or hybrid failover in mind. Even if workloads remain on AWS, critical functions like identity, DNS, and monitoring should live elsewhere.

2. Separate Identity from Infrastructure

Don’t allow a single failure point to lock out your users. Identity continuity planning should be a standard component of every business continuity strategy.

3. Maintain Out-of-Band Communication Channels

When collaboration tools fail, teams need predefined, offline backup channels — SMS, secure messaging, or pre-approved personal devices for emergencies.

4. Continuously Test Disaster Recovery Plans

Don’t wait for the next outage to discover what’s broken. Run live drills that simulate major service provider failures.

5. Partner for Resilience and Monitoring

This is where Plurilock’s Critical Services can make a measurable difference.

Plurilock helps organizations assess dependency risks, implement business continuity plans, and monitor mission-critical systems through redundant, multi-channel visibility.

The company’s expertise in data protection, zero trust, identity and access management, endpoint management, compliance, and continuous monitoring ensures that when cloud infrastructure falters, clients retain operational awareness and continuity.

Shameless plug… I just joined this company because of what they are doing to help companies properly prepare for and mitigate this rising business concern.

Resilience Is the New Uptime

AWS will fix its systems.
Gamers will get back to Fortnite.
But for business leaders, this outage should serve as a wake-up call: your continuity plan is only as strong as your weakest dependency.

In a hyperconnected economy, trust and uptime are now the same thing — and both demand a layered approach to resilience, not blind faith in a single provider.

The takeaway is simple:
Don’t just protect your data — protect your ability to operate.

Because when the cloud goes down, your customers don’t care whose fault it was — only whether you were ready.

Comment

Comment

Personal OpSec - random notes

Hey. Happy Thursday. Really good version of Tom Ryan’s Security Mindset Clubhouse room last night. Talked a ton about personal OpSec. A few links and tips below. The team talked about various strategies to protect security and identity including:

  • There’s the obvious like not texting or emailing stuff like SSN, Pictures of ID or SS card, using as few identifiers as possible

  • Using services you have already shared data with instead of signing up for a new service to give more personal information to - like VISA, MC, AMEX… OR using the credit bureaus (Experian, Transunion, Equifax

  • Using a “standard” fake birthday when signing up for websites

  • Using a paid service like “Delete Me” to keep your personal data posted on the web to a minimum / remove personal data sold by brokers. How We Work - DeleteMe (joindeleteme.com) (Thanks Eric)

  • Making sure your family members know “the rules” about posting pictures of you on social

    • Mixed discussion of letting that happen at all

    • Stay out of pictures altogether if you can help it (Thanks Jane)

  • Elixabeth has shared in the past how she works with younger relatives to put together a fake persona for them when they join social. That way they start out NOT exposing their real contact info, but keeps consistent track of the data used.

  • Much discussion about using “standard” fakes for mother’s maiden and other key identifiers when setting up a non-financial account if you HAVE to use that info.

  • Using a fake email service like Nada (thanks Dave M) to individualize setup emails, or one time use (to sign up for whitepapers, etc) nada - Disposable Temp Email (getnada.com)

  • Reading stuff from Michael Bazzell, listening to his podcast, or usign his free workbooks on data removal and credit freeze IntelTechniques by Michael Bazzell (Very useful website.. thanks again Dave)

All in all, I highly recommend joining the Law, Tech and Infosec https://www.clubhouse.com/club/law-tech-infosec club (and Tuesday 11:30am PT / 2:30pm ET discussion) as well as the Security Mindset https://www.clubhouse.com/club/security-mindset club (and Wednesday 3:00pm PT/6:00pm ET discussion rooms to see for yourself.)

Watch your 6… See you there.

Comment

Comment

BlackHat 2021, DefCon 29 and Usenix 30th Security Symposium

Another summer has almost passed, and I missed the Vegas pilgrimage. What with masks and shots, sick people and crazy people… I am still not 100% down with travel. Don’t get me wrong, some crazy part of me really misses waking up in a hotel room wondering where I am and what is on my calendar for the day, but sadly it’s not really fully back to “normal” (which my sister says “is just a setting on the dryer”). All that said, my plan is to be there next year.

I’ve heard mixed reviews. The consensus was that it was lightly attended, and that there were many more “innovation vendors” than main stream big guys. But maybe that’s a good thing. I’ve always enjoyed the outside ring of vendors at shows like RSA, and think that we need more of those in the industry.

Consolidation continues on, and companies are recognizing that there is a balance to the idea that workers that have a less rigid onsite work schedule can be happier and more productive. Then there a great number of people that have not used the time wisely and have instead used this for an excuse to slack. Whichever you are, I hope you’re finding ways to be successful in the new normal.

But I digress.. Thanks to my good friend Tom Ryan, I have this killer list to share with you. Here are slides, talks and videos of some of the best of this year’s Vegas security fest. Check em out. Some great stuff here:

DefCon 29 Videos: https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20video%20and%20slides/

DefCon 29 Slides: https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/

BlackHat 2021 (Slides accessible within each talk's link): https://www.blackhat.com/us-21/briefings/schedule/index.html

30th Usenix Security Symposium (papers and presentations): https://www.usenix.org/conference/usenixsecurity21/technical-sessions

Do you have any training links to share? Information that might be useful? Post below please! I’m interested.

Comment