For a long time our cloud security was a wall of alerts and a person whose job was to read them. A public bucket would fire a notification, someone would see it twenty minutes later, and we would scramble to close it. The bucket was public for twenty minutes. The better question was why we let it become public at all.
Detective controls are an apology after the fact
A detective control is an alert that fires once the risky thing exists. By definition there is a window where you are exposed and racing the clock. A preventive control refuses the risky thing at creation, so the window never opens. We shifted as much as we could from the first kind to the second, and our pager volume dropped along with our actual exposure.
- Deny public storage at the policy layer, so it cannot be created, instead of alerting when it appears
- Block unencrypted volumes at admission rather than flagging them in a weekly report
- Require tags and an owner before a resource provisions, not after it is orphaned
- Make the secure default the only path, so the insecure one needs an explicit, reviewed exception
Make the safe thing the easy thing
Guardrails earn their keep only if the paved road is genuinely easier than going around. We give teams modules where encryption, logging, and sane network defaults are already wired in. Using the module is less work than rolling your own, so people use it, and the guardrail rarely has to say no because the right thing is also the convenient thing.
If your secure path is harder than the insecure one, you have not built a guardrail. You have built a detour that people will route around.
Keep a few detectives anyway
We did not delete all alerts. Some risks cannot be prevented cleanly, and you still want to know when a guardrail is bypassed via an approved exception that turned out to be a mistake. The shift is one of proportion. Prevention is the default and the bulk of the work; detection is the thin backstop for the cases prevention cannot cover.
The honest tradeoff
Preventive controls make people angry on day one, because they block something that used to work. We absorb that by making exceptions fast and reviewed, never impossible. A guardrail with no escape hatch gets disabled by an exhausted team at 2am. A guardrail with a five-minute, logged exception process survives, because it never forces anyone to choose between security and shipping.