Your cloud's best lock is the one attackers ignore

The biggest diamond heist in history skipped the lasers and the acrobatics. So does every cloud breach worth worrying about.

Every heist movie has the same scene. Danny Ocean gets the band back together, there's a montage, one guy does explosives, one guy folds himself into a duffel bag, and by the end of act two they're all hunched over a blueprint of a vault guarded by lasers, pressure plates, and a room that beeps if your heart rate climbs above "smug."

The biggest diamond heist in actual history had none of that. It had a man who paid rent for two and a half years and a can of hairspray.

In 2003, an Italian named Leonardo Notarbartolo robbed the Antwerp Diamond Center, which sat on top of the most secure vault in Europe. Ten layers of security, the kind of list with its own slow camera pan: a hundred-million-combination lock, a magnetic seal, seismic and infrared sensors, a light sensor, a literal foot-long key, cameras on everything.

Notarbartolo's move was renting an office in the building. Posing as a gem dealer got him a nameplate and, since that's how the building worked, his own safe deposit box in the vault downstairs. The most secure vault in Europe handed him a key to its own front door because he signed a lease.

The vault was world-class. It just wasn't asked the question it was built to answer. They reportedly hairsprayed the heat sensor, taped over the light sensor, bagged the cameras, and used a key sitting in a metal box near the door. Then they emptied 109 of the 189 boxes and walked out with north of $100 million in diamonds and gold. The strongest thing in the building, that hundred-million-combination lock, they never touched.

Your cloud is that vault. You're running the building.

Your provider built the vault. You run the building.

Every cloud platform splits the work the same way, and almost nobody reads the line. Amazon, Google, Vercel, Supabase, Cloudflare: they handle the infrastructure. The concrete, the wiring, everything underneath your code. That half is fantastic, better than anything you'd build yourself, and it's the half nobody is coming for. No bank robber's plan has ever opened with "step one, defeat the reinforced concrete."

Your half is everything you put inside the vault and everyone you let into the building. Which buckets can be read. Whether the role you stapled onto a server can reach your entire customer database or just send a welcome email. The system that decides who's allowed to do what is called IAM, identity and access management, and it is entirely yours. The cloud enforces whatever rules you give it with the loyal, literal enthusiasm of a dog fetching the knife you threw.

And here's the cruel part: the fancier the platform, the safer you feel, and the safer you feel, the less you look. "We're on Supabase, we're fine" feels true because the wall is so thick. Same vault. Heavier door. The door was never the thing.

The thieves had a key

The biggest cloud heist on record has the same plot, with even less glamour.

In 2019, Capital One lost the data of 106 million people, and Amazon's servers were never breached. The thief, Paige Thompson, was a former AWS engineer, and she cracked nothing. She found a misconfigured firewall that had been handed an access role roughly the size of "do whatever you like," and through a trick called server-side request forgery (SSRF: making a server send requests for you) she had it fetch its own temporary credentials from Amazon's internal key drawer. The drawer handed them over: the request came from inside the house and looked legitimate. With that key she opened 700-plus storage buckets and copied out 106 million credit applications. Even encryption was not the magic shield people imagine: if the role is allowed to read the data, the attacker borrowing that role gets to read it too.

Amazon's statement boiled down to: misconfigured firewall, not us. They were right. The vault held. The key was in the box by the door, again.

If you want the full caper, the book Flawless and Notarbartolo's own (extremely unreliable) 2009 Wired interview have it. The Capital One mechanics live in TechTarget's reporting from the week it broke and a later ACM case study.

The sticker on the locked PC

When I was starting out, I got sent to a cybersecurity lecture at one of those enormous companies where the lobby has its own weather. They walked a room of young security engineers through the fundamentals: strong passwords, least privilege, lock your screen. Solid lecture. On the way out I passed a workstation, dutifully locked, screen dark. Taped to the monitor was a sticker with the password on it.

I think about that sticker on every cloud review I've done since, because your account has stickers too. They just look like settings. A few I keep meeting:

The storage bucket someone flipped to public at 11pm to make an image load, with a mental note to flip it back, now eight months old. The Supabase project with row-level security switched off "for now," so every row is readable by anyone with the anon key, which lives in your frontend code. The role with full admin access, created to unblock one deploy, now quietly attached to everything. The access key from 2024, in a .env on a laptop that's been to four conferences since, still valid, still all-powerful.

None of this is exotic, and that's the point. Every tool you run ships with a secure configuration and an insecure one in the same box, and your one recurring job is knowing which of the two you're running. Nobody hacks these. They walk up and read the sticker.

You don't have to find them by squinting. Big companies point scanners at their accounts for exactly this reason. AWS Config does it natively. Prowler does it for free, across the big clouds. Tools like Shielda go one step further: consolidate the findings, rank what can actually hurt you, and help fix it. The tool matters less than the habit: run the scan, read the ugly list, peel off the stickers.

One thing worth understanding

Here is the one idea to keep, because the tools rot and this won't. In the cloud, the perimeter stopped being a place. It's a credential now. Your provider's wall can tell where a request came from. It cannot tell whether the key in that request is yours or belongs to someone who's been renting the office next door for two years, waiting. A valid key is a valid key.

If the credential is the perimeter, then every long-lived access key, every role scoped to "just give it everything for now," every admin login that never logs out is one more password sticker on one more locked PC. You don't fix that by watching harder. You fix it by making each key worth almost nothing to steal.

In practice that's three moves you set up once and barely touch. Multi-factor authentication on every human who can log into the console, so a stolen password dead-ends. Long-lived keys swapped for short-lived ones, through single sign-on or rotation, so a stolen key expires before the thief gets it home. And once a quarter, not once a day, you run that scan and deal with what it shows you. You're not trying to build a better vault than your provider's. You'll lose that one. You're making sure the keys inside are worthless five minutes after anyone grabs them.

One last thing

They caught Notarbartolo, by the way. Not because layer eleven kicked in. Because one of his crew got jittery and dumped a bag of garbage in the woods outside Antwerp, a local landowner went poking through it, and there it was: envelopes from the Diamond Center itself, and a half-eaten salami sandwich carrying Notarbartolo's DNA. The greatest vault heist in history, undone by a man who couldn't find a bin.

Your provider's vault will hold. It's the best thing in this whole story. Spend your worry on the stickers, on the dull quarterly hour nobody volunteers for, and on the sandwich you're about to leave lying around your own building. That half is yours. It's also the only half anyone was ever going to walk through.