This year, I had the incredible opportunity to represent Vodafone and our Cloud Engineering team as a speaker at Voxxed Days Crete 2025. 

Being part of this event was not only a professional milestone, but also a chance to address the local growing tech community and showcase our innovative approach to cloud security automation and engineering excellence. I’m happy to be part of the Vodafone Tech Hub in Heraklion, Crete - a team that’s driving innovation and contributing to the local tech ecosystem. 

My talk covered infrastructure automation, image management strategies, and practical ways to tackle legacy technical debt while meeting modern cloud security requirements. 

In the blog below, you can find a snapshot of what was presented. You can also watch the full talk here 🎥 

The True Scope of Security in a Corporate Environment 

In today’s corporate landscapes, security is a team sport - every direction, every role, every process is touched by compliance needs. Security compliance demands strict standards and the integration of diverse tools across the software development lifecycle. From code quality analysis and dependency scanning to infrastructure patching and hardening schedules, we face complex challenges every day. 

Yet, integrating these tools—and setting corporate standards—can sometimes slow down development. Too often, this leads to miscommunication, repeated meetings, and unwanted noise, which may create more challenges instead of solving the real problems. 

Our goal is to build the foundational blocks for reusable, hardened pipelines and platforms that empower development teams. Security operations should remain mostly invisible in developers’ daily flows, enabling them to focus on innovation while allowing security teams to retain oversight for compliance and risk management. When issues arise, targeted alerts and prompt remediation drive focus and clarity—engaging only the right people at the right time. 

How We Do It: Secure Cloud Pipelines as Code 

We embrace DevOps best practices, defining everything as code using technologies like Terraform, Packer, Kubernetes, native cloud services, ArgoCD and GitHub Actions. Let’s break down how our deployment pipeline works today: 

• Building Blocks: Our infrastructure, CI/CD, and security controls are codified, reusable, and continuously improved through collaborative processes. 

• GitHub Actions: DevOps and security engineers collaborate via reusable, integrated workflows. Every pull request triggers security tools such as SonarQube for static code review and Mend for dependency scanning—automatically, by default. 

• Image Building: Using Docker, we create secure images and push them to our cloud ECR registries. Developers build and deploy on top of these images, assured of their compliance. 

• OS Images with Packer: We use Packer to generate standardized OS images, already equipped with security agents (such as Qualys and Defender), which provide deep monitoring and real-time remediation insights for vulnerabilities. 

• Terraform-Driven Infrastructure: Terraform manages infrastructure as code, tracks all changes, and relies on shared AMIs to keep everything consistent, up-to-date, and secure. 

• Developer Perspective: Developers implement Helm charts, deploy applications using our hardened building blocks, and enjoy streamlined workflows with minimal manual security intervention. 

Automated Patching and Always-On Hardening 

Our dedication to compliance extends to automated infrastructure patching and hardening, maximizing efficiency and minimizing disruption: 

• Patching Schedules: Every Friday, we automatically build secure OS images with Packer, embedding all critical security agents. 

• Non-working Hour Deployment: Hardened images are deployed every Monday, leveraging non-working hours for updates, ensuring zero downtime for production workloads. 

• Continuous Monitoring: New vulnerabilities are flagged instantly through the embedded agents, so improvements can be deployed rapidly and silently. 

• Resource Optimization: Our systems are cost-efficient and highly secure, with pre-approved OS update cycles and “scale-to-zero” on non-production environments during off-hours. 

Impact, Vision and the Future 

Our overarching goal is clear: provide development teams with hardened platforms and pipelines they can trust, freeing them from day-to-day security burdens. Security operates quietly in the background, enabling developers to focus, while security teams ensure compliance and risk management remain watertight. 

By embracing best-in-class DevOps tools—Terraform, Packer, Kubernetes, ArgoCD, and GitHub Actions—we deliver modern, reliable, and secure platforms. Presenting at Voxxed Days Crete Heraklion 2025 was a proud moment for Vodafone, marking Crete on the map as a thriving tech hub and sharing a blueprint for others striving to automate, secure, and accelerate their cloud journeys. 

Thank you to everyone who made this experience possible and for contributing to our collective vision for secure, innovative, and collaborative cloud engineering. 

If our work at Vodafone Engineering excites you, check out career opportunities in our team.