A DevSecOps Approach to Cloud Security

Security and Compliance is a shared responsibility between a customer and it’s cloud provider. Even though a cloud provider assumes the responsibility of ensuring virtual and physical infrastructure security, it’s the customer security team that’s ultimately responsible for protecting application and customer data in the cloud. And in a dynamic cloud environment, where business owners want to ensure security without affecting a slowdown in application development, your job as a cloud security admin is extremely tricky.

 

“Collaborative” Security Model for DevSecOps Culture

Since our beta announcement at VMworld, the feedback from early customers is clear. Security teams need a way to foster a more collaborative DevSecOps culture within their organizations. Key is to partner with developers from the beginning and safely distribute the responsibility of security without getting in the way of application agility.

 

In this public case study, Anji Green, Bazaarvoice’s Director of Security, shares how she is using VMware Secure State to build a relationship of trust with application team owners. Secure State is enabling her to integrate best security practices into development teams by sharing real-time insights into risks that lie within the cloud infrastructure that they are responsible for.

 

Here are a few more example capabilities that our customers are finding useful while ensuring security and compliance of applications in production today.

 

Prioritize Threats by Granular Risk Scores

When there are hundreds of security violations in a cloud account, it’s difficult to filter out critical threats from noise. Secure State gives you greater context into where those risks exist and a granular risk score for every violation to help you prioritize key threats. The example below illustrates two similar threats due to a TCP port that’s open to the internet. As evident, the vulnerability on the right poses a much greater risk as it’s connected to a larger number of objects and should be prioritized first for resolution.

Detect Extremely Difficult to Find “Connected Threats”

Secure State looks beyond just isolated mis-configurations to identify some of the most critical but difficult to find “connected threats” that occur across a whole chain of configured services. Example below shows a threat where a publicly routable EC2 instance shares the same SSH key with an instance that has administrative privileges. During an attack if the publicly routable instance is compromised, it could lead to a severe security breach including the loss of administrative privileges to your cloud account. Ability to detect such critical “connected threats” is unique to Secure State.

 

Share security insights with your application teams

Everything in Secure State revolves around your application team. Team specific dashboards enable security administrators to collaborate with application owners and provide real-time insight into the vulnerabilities that exist in only their applications. Administrators have the ability to file tickets, send slack messages to alert teams on critical violations as well as suppress less critical alerts that contribute to noise.

 

Sign Up For Your Free Cloud Security Assessment Today

If this is something that you found interesting, I recommend that you sign up for a free cloud security assessment with Secure State today. Your cloud assessment will only take less than an hour and if you like the results, you can continue to use the service free of cost for a 30-day evaluation period.

 

Meet the Secure State Team at AWS re:Invent 2018

Attending AWS re:Invent? You can visit us at the CloudHealth by VMware booth (#1206) to get a service demo and an invitation to VMware’s customer reception in Vegas.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *