Threat Stack Blog and Cloud Security News

Continuous security monitoring for your cloud.

Anthony Alves

15 years of experience as a security engineer at Trusteer (IBM Security), Core Security Technologies, and Threat Stack, has made Anthony a valuable member of Threat Stack's growing Oversight team. Anthony helps our customers deploy, configure, fine-tune, and manage their continuous security monitoring so they can run secure and compliant, without sacrificing time and resources.

Recent Posts

5 Things All Security Teams Should Be Doing (But Many Aren't)

by Anthony Alves , posted in Cloud Security, Cloud Security Best Practices, Continuous Security Improvement

5 Things Security Teams Blog Banner.png

Security teams are expected to do a lot these days. From properly configuring the cloud environment, to protecting the organization from today’s latest threats, to answering tough questions from the board and customers, there’s more than enough to be done, but how do you know you’re doing the right things?

In this post, we’ll dive into the five biggest areas of security that all teams should be paying attention to. Addressing these will protect you from a large majority of security threats today, and will also create a solid security foundation that you can incrementally build on as your organization grows and your needs become more complex.

Read More [fa icon=long-arrow-right"]

Apr 13, 2017 5:38:20 PM

[fa icon="comment"] 0 Comments

The 5 Questions Your Security Team Should Be Able to Answer

by Anthony Alves , posted in Cloud Security, Cloud Security Best Practices

5 Questions Security Team Blog Banner.png

In a time when security consciousness is high and stories about security breaches are all too frequently in the headlines, your security team needs to be ready for questions it’s bound to receive from customers, auditors, employees, board members, and other affected parties.

We’ve covered a lot of topics in this blog, including cloud security strategies, basic security hygiene, best practices, and how to mature your security posture. But to make it easy for your security team, we’re going to use this post to address five fundamental questions that any security team must be able to answer and give tips on how you can prepare to answer them.

Read More [fa icon=long-arrow-right"]

Apr 10, 2017 11:39:01 AM

[fa icon="comment"] 0 Comments

Considerations For Creating Secure User Groups on AWS Using IAM

by Anthony Alves , posted in AWS Security, IAM, Identity Access and Management, IAM Users and Groups

AWS IAM Blog Banner.jpg

A big difference in the way on-premise infrastructures and cloud infrastructures are implemented centers on the way that user permissions are assigned. As you move towards software-defined everything, where data and systems are far more connected (generally a good thing), you need to pay special attention to the roles and permissions you grant to ensure that users are only given as much access as they absolutely need. No more, no less.

Read More [fa icon=long-arrow-right"]

Nov 29, 2016 10:11:08 AM

[fa icon="comment"] 0 Comments

How to Verify That Compliance Controls and Processes are Being Met

by Anthony Alves , posted in Cloud Security, Compliance, Compliance in the Cloud, Compliance Strategy

Compliance Controls and Processes Blog Bannerv2.jpg

Compliance is a complex, ongoing process. Between deciphering requirements into relatable terms, allocating a budget, and  assembling a team for your compliance audit — all while trying to stay focused on running your business — there’s a lot to think about and do. And after all of this, there is still more that needs to be managed.

From regular maintenance of the processes, controls, and technology you implemented, to questions from customers about your level of compliance, you’ll quickly realize that compliance is a continuous process that needs to be managed, not a one-and-done activity.

Having said that, what are you doing, or going to do, to make your compliance plan accessible so team members — from Security to IT to Sales — can quickly verify a control or process?

Read More [fa icon=long-arrow-right"]

Nov 15, 2016 9:05:27 AM

[fa icon="comment"] 0 Comments

The Ultimate Compliance Cheat Sheet: A Wrap Up of Threat Stack’s Cloud Compliance Series

by Anthony Alves , posted in HIPAA, Compliance, Compliance in the Cloud, PCI DSS, Compliance Playbook


We write about compliance (and talk to customers about it) pretty regularly, and if you’ve been following our blog over the last two months, then you know we also just did a full series on the topic. In addition, we released the The Threat Stack Compliance Playbook that’s full of practical information you can use to help your company achieve compliance without losing your sanity.

Read More [fa icon=long-arrow-right"]

Oct 7, 2016 11:13:05 AM

[fa icon="comment"] 0 Comments

Allocating Resources for a Compliance Audit: A Practical Framework

by Anthony Alves , posted in HIPAA, Regulatory Compliance, Compliance in the Cloud, PCI DSS, Compliance Audit, Resources


When companies prepare to meet compliance, whether it’s PCI DSS, HIPAA, or SOC 2, one thing that can be estimated inaccurately is the stakeholders who need to be involved — who they are, what departments they come from within your organization, what their roles are, what knowledge and skill sets they require, how long they’ll be needed, etc. This post is intended as a practical guide to help you develop a thorough and realistic resource plan for your next compliance audit.

Read More [fa icon=long-arrow-right"]

Oct 6, 2016 1:28:29 PM

[fa icon="comment"] 0 Comments

When is Good Enough Good Enough? Meeting Compliance Without Losing Your Mind

by Anthony Alves , posted in HIPAA, Compliance, Compliance in the Cloud, PCI DSS


Have you heard one about the bear and the two hikers?

A bear jumps out of the bush and starts chasing two hikers. They both start running for their lives, but then one of them stops to put on his running shoes.

The first hiker says, "What are you doing? You can't outrun a bear!"

The second hiker replies, "I don't have to outrun the bear; I only have to outrun you!"

Compliance works in a similar way. You don’t need to be the most compliant company; you just need to meet the requirements well enough to satisfy regulators, auditors, customers, and stakeholders. And, ideally, you want to be more compliant than your competitors. That’s how you outrun the bear (err… win the customer.)

Read More [fa icon=long-arrow-right"]

Sep 30, 2016 9:45:38 AM

[fa icon="comment"] 0 Comments

File Integrity Monitoring and Its Role in Meeting Compliance

by Anthony Alves , posted in HIPAA, Cloud Security, File Integrity Monitoring, Regulatory Compliance, PCI DSS, FIM


When’s the last time someone made an unauthorized change to your system files?

To answer this and other important security questions, as well as to meet many compliance requirements, you first need to have file integrity monitoring. In case you aren’t familiar with the term, file integrity monitoring (sometimes abbreviated to FIM) is the method for knowing exactly when and how your files are being changed at any moment in time. This includes critical system files, configuration files, and content files.

Read More [fa icon=long-arrow-right"]

Sep 27, 2016 11:14:32 AM

[fa icon="comment"] 0 Comments

Budgeting for a Compliance Audit: A Practical Framework

by Anthony Alves , posted in HIPAA, Regulatory Compliance, Compliance in the Cloud, PCI DSS, Compliance Audit


Companies can easily underestimate the investment required to meet compliance. Thinking compliance is a one-and-done activity that you can skate by with minimal spend only sets you up for unpleasant surprises later on. Compliance can be a long, drawn-out process, involving everyone including HR, finance, security, and leadership. So it’s important to look at all the costs up front in order to set aside a realistic budget.

A good way to approach compliance is to treat it like a new product launch. You’ll need a dedicated project team, new technology, a reasonable budget, and more to get it off the ground.

Read More [fa icon=long-arrow-right"]

Sep 21, 2016 3:30:42 PM

[fa icon="comment"] 0 Comments

The Compliance Playbook: How to Build PCI & HIPAA Compliant Businesses in the Cloud

by Anthony Alves , posted in HIPAA, Cloud Security, Regulatory Compliance, Compliance in the Cloud, PCI DSS



The Threat Stack Compliance Playbook for Cloud Infrastructure is now available!

The Compliance Playbook is intended for readers who want to understand what’s involved in becoming compliant in a cloud environment — without getting caught up in the details and complexity that the compliance process is well known for.

Read More [fa icon=long-arrow-right"]

Sep 14, 2016 1:04:41 PM

[fa icon="comment"] 0 Comments

Subscribe via email:

Posts by Topic

see all