Identity Provider Fallacy
Cloud Compute are mostly secured by identity providers (IdP)
-
Dishonest Administrator
An administrator within the IdP can directly access and misuse user credentials, such as re-using username and password combinations to impersonate users to third-party services. -
Powerful Management
Even if all the administrators honest, they can still be ORDERED to impersonate you by management or government. -
Credential Theft
If an attacker obtains the administrative credentials for an IdP, they can modify it to extend trust to domains or users they control, which then allows them to impersonate many users. -
Federation Weakness
This involve IdP talking to each other, with hackers compromising the IdP federation process. -
Cross-IdP Impersonation
An attacker can create a fraudulent IdP with a domain that matches your company's domain. When you try to log in to a service using SSO, you might be tricked into authenticating through the attacker's IdP, granting them access to your accounts on downstream applications. -
Key Compromise
Numerous techniques (e.g golden saml, golden ticket etc.) can compromise signing keys or forge authentication tokens to bypass IdP security measures.
Reference:
VPN Fallacy
Virtual Private Network (VPN) was design with CENTRALISED control and security for use in a corporate environment where the boss can see and controls all communications.
Running VPN as a public service is NOT LONGER providing "private" network by definition and the real problem is that even if it is "private", the word "private" in VPN means that the communication is private to the company - not to the individual users (employees).
Trusting your VPN provider more than your government regulated carrier is like trusting your cryptocurrency exchange more than your government regulated bank.
The more traffic you put through a VPN, the more valuable it is as a target and the more you will be exposing yourself to their staff or to the people who hacked them.