InfoQ Homepage Cloud Security Content on InfoQ
-
Google Introduces Cloud Fraud Defense as Successor to reCAPTCHA
At the recent Next ‘26 conference, Google introduced Google Cloud Fraud Defense, the successor to reCAPTCHA. The platform goes beyond basic bot detection to address broader online fraud across login, account creation, and payment flows, helping organizations detect suspicious behavior and block abuse, including fake accounts, automated attacks, and transaction fraud.
-
Kubernetes v1.36 Released: Security Defaults Tighten as AI Workload Support Matures
Kubernetes v1.36, released in 2026, includes 70 enhancements focused on security, AI workloads, and API scalability. Key features graduating to General Availability are User Namespaces, Mutating Admission Policies, and Fine-Grained Kubelet API Authorization. The release also addresses workload management and introduces new features for AI resource allocations.
-
How GitHub Is Securing Agentic Workflows in Modern CI CD Systems
GitHub detailed a defense-in-depth security architecture for agentic workflows in CI/CD pipelines, focusing on isolation, constrained execution, and auditability. The design aims to safely integrate autonomous AI agents while mitigating risks like prompt injection, privilege escalation, and unintended actions, using sandboxed environments, restricted permissions, and full execution traceability.
-
Cloudflare Outlines MCP Architecture as Enterprises Confront Security and Governance Risks
Cloudflare has outlined a reference architecture for scaling Model Context Protocol (MCP) deployments across the enterprise, positioning centralized governance, remote server infrastructure, and cost controls as key requirements for production-ready agent systems.
-
CNCF Warns Kubernetes Alone Is Not Enough to Secure LLM Workloads
A new blog from the Cloud Native Computing Foundation highlights a critical gap in how organizations are deploying large language models (LLMs) on Kubernetes: while Kubernetes excels at orchestrating and isolating workloads, it does not inherently understand or control the behavior of AI systems, creating a fundamentally different and more complex threat model.
-
New Rowhammer Attacks on NVIDIA GPUs Enable Full System Takeover
Security researchers have demonstrated a new class of Rowhammer attacks targeting NVIDIA GPUs that can escalate from memory corruption to full system compromise, marking a significant shift in hardware-level security risks.
-
CNCF and Kusari Partner to Strengthen Software Supply Chain Security across Cloud-Native Projects
The Cloud Native Computing Foundation (CNCF) and Kusari have announced a new collaboration aimed at strengthening software supply chain security across cloud-native projects, providing free access to Kusari's AI-powered security tooling for CNCF-hosted projects.
-
Open Source Security Tool Trivy Hit by Supply Chain Attack, Prompting Urgent Industry Response
A major security incident affecting the widely used open source vulnerability scanner Trivy has exposed critical weaknesses in software supply chain security, after maintainers confirmed that a malicious release was briefly distributed to users.
-
Cloudflare Adds Active API Vulnerability Scanning to Its Edge
Cloudflare has announced the open beta of its Web and API Vulnerability Scanner. This Dynamic Application Security Testing (DAST) tool is part of the API Shield platform.
-
Kubescape 4.0 Brings Runtime Security and AI Agent Scanning to Kubernetes
Version 4.0 of the open source Kubernetes security platform Kubescape has been released, bringing runtime threat detection and a new set of AI-era security features. This is the first time the project has targeted the security of AI agents themselves, alongside its established scanning capabilities.
-
HashiCorp Vault 1.21 Brings SPIFFE Authentication, Granular Secret Recovery, and More
HashiCorp has released Vault 1.21. This version introduces native SPIFFE authentication for non-human workloads, expands the granular secret recovery model introduced in Vault 1.20, and adds KV v2 secret attribution, MFA TOTP self-enrollment, a Vault Secrets Operator CSI driver that mounts secrets directly into pods without persisting them in etcd, and more.
-
AWS Launches Managed Openclaw on Lightsail amid Critical Security Vulnerabilities
AWS launched managed OpenClaw on Lightsail for AI agent deployment while security concerns mount. The 250k-star GitHub project is affected by CVE-2026-25253, which enables one-click RCE, with 17,500+ vulnerable instances exposed. Bitdefender found 20% of ClawHub skills malicious. AWS blueprint provides automated hardening, but doesn't address architectural security limits.
-
Standardizing Post-Quantum IPsec: Cloudflare Adopts Hybrid ML-KEM to Replace Ciphersuite Bloat
Cloudflare has extended hybrid post-quantum encryption to IPsec and WAN traffic, standardizing its SASE stack ahead of the NIST 2030 deadline. By adopting a streamlined ML-KEM key exchange, the move addresses long-standing "ciphersuite bloat" in quantum-resistant IPsec. The update aims to neutralize "harvest now, decrypt later" threats without requiring specialized hardware upgrades.
-
Teleport Launches Agentic Identity Framework to Secure AI Agents across Enterprise Infrastructure
Teleport recently unveiled the Teleport Agentic Identity Framework, a new AI-centered security model designed to help enterprises safely deploy autonomous and semi-autonomous AI agents across cloud and on-premises environments.
-
CloudFront Adds Origin mTLS Authentication for End-to-End Zero Trust
Amazon CloudFront now supports mutual TLS authentication for origin servers, completing end-to-end zero-trust authentication from viewers to backends. The feature replaces IP allowlists and shared secrets with cryptographic verification, proving particularly valuable for multi-cloud deployments, where origins can verify that traffic originated from CloudFront without VPN tunnels.