u/Soft_Attention3649

we spun up an agent to handle some internal reporting, read access to a few databases, nothing privileged, at least that's what we assumed at the time. ran for maybe three months without anyone checking in on it.

during a routine audit someone pulled the agent's activity logs and noticed it was authenticating against one of our older internal databases using a credential that wasn't in our secrets manager. traced it back and found the agent had picked up a hardcoded credential sitting in a script from a migration we did two years ago. the original script was supposed to be decommissioned. it wasn't. the credential still worked. the agent found the most efficient path and used it.

the database it was accessing had customer records in it. read-only, so nothing was modified, but the access was never supposed to exist and we had no idea it was happening.

the IdP shows clean. okta has no idea this access path exists because it's not routing through the IdP at all. the application just has its own auth sitting there from years ago and the agent discovered it. there's no connector for it, no provisioning flow, it just exists.

how are people actually tracking what paths an agent takes once it's inside an environment? logging the task completion doesn't help if you don't know what it accessed to get there.

we're fully multi-cloud now. most of our compute sits in AWS, some data workloads in Azure, and analytics ended up in GCP.

the problem isn't any single cloud, it's the gaps between them.

i can see what's happening in AWS Security Hub. Azure has its own view. GCP too. just not in one place.

same asset shows up differently depending on where you look, and priority doesn’t line up.

we’ve tried:

• a SIEM as the aggregation layer: works for logs, not for posture
• a spreadsheet (don’t laugh, it lasted two weeks :))
• weekly cross-cloud review meetings: slow and manual

not sure if CNAPP actually solves this or just becomes another dashboard.

if you're managing security across multiple clouds, what's your actual workflow? not the tool name the workflow.

[ Removed by Reddit on account of violating the content policy. ]

Blocked everything not on the approved list in Q2 last year.

4 months in, people were on personal hotspots.People had personal devices sitting next to work machines just to get around it.. Someone running a browser tool that never hit the block list because it never touched the network. Month 6 and there was more going on that we couldn't see than before any of this started.

Pulled the blocks. Now everything is allowed and I have no idea what's going into these tools. Someone on the data team pasted a client list into a summarization tool last week. Found out in a standup, not from anything we run.

Can't go back to blocking. Tried that. But I can't keep running like this either.

Anyone running something that lets you allow the tools but still control what goes in, specifically at 200+ engineers, does it hold up or fall apart at that scale

We're ramping up content experiments for our UK audience but A/B testing feels messy right now. tools like Google Optimize are gone and everything else seems US focused or too clunky for landing pages and emails. need something that handles UK traffic splits properly without crazy setup. we've got GA4 but splitting variants there doesnt give clean stats. tried VWO briefly but pricing stung for what we need. anyone got a simple setup that works well for uk specific content and what tools or workflows actually deliver reliable results without eating dev time?