Cavirin Blog

eBook = A Modern Approach to Securing Your Hybrid Cloud

Ten Selection Criteria, from the Cavern eBook, 'Securing Your Hybrid Cloud'

Download at:

1: Flexibility

The ease of implementation and the ability to span multiple workload environments (i.e., IaaS, PaaS, on-premise, VMs, containers, and in the future, FaaS), delivering a single view, is integral for mid-size and enterprise organizations. Ideally, if initially deployed on-premise, the same tools and applications will extend into the cloud. This implies that the platform architecture has been conceived from the start for hybrid environments. Flexibility also includes ease of installation from a cloud service provider’s marketplace.

2: Extensibility

DevOps-friendly open APIs open the platform to external data sources and sinks such as IAM/PAM, SIEM/UEBA, logging, threat intelligence, or a helpdesk. This out-of-the box cloud and API interoperability is essential to accommodate business-critical applications. APIs also enable integration into an organization’s CI/CD process and their DevOps tools. This of course relates to lifecycle container support that encompasses images, the container runtimes, and orchestration.

3: Responsiveness

As today’s security threats quickly multiply, minimizing the time required for implementation and time to baseline, as well as quickly identifying any changes in posture, has become vital. This implies a microservices-based architecture for elastic scaling, and an agentless architecture that adapts well to containers and function-based workloads as well as eliminating ‘agent’ bloat that impacts CPU, memory, and I/O.

4: Agility

Permitting the organization to initially sample what part of the network (fraction of workloads) is critical to them within a given time period, and then scale from there. The cloud provides this agility, and the security tool architecture must be designed to follow suit.

5: Deep Discovery

It’s essential to automatically identify existing and new workloads as well as changes to existing ones across multiple cloud service providers, and then the ability to properly group these by function. This discovery should be a simple process, leveraging existing AuthN and AuthZ policies to avoid having to create a special IAM policy every time.

6: Broad Policy Library

The platform must support a wide range of benchmarks / frameworks / guidelines and the creation of custom polices based on workload type. These policies should automatically apply to existing and new workloads. Broad coverage also relates to OSs, virtualization, and cloud service providers. Capabilities may include OS hardening, vulnerability and patch management, configuration management, whitelisting, and system monitoring.

7: Real Time Risk Scoring Across Infrastructure

Assets, once discovered and with policies applied, must be scored. This may be individually, across different slices of the infrastructure (i.e., location, subnet, department), by workload type across environments (i.e., cloud and on-premise), or by application (i.e., PCI, web). Scoring must be prioritized, available historically, integrated with 3rd party tools for automation or into an existing UI, and most importantly, correlated. For example, an organization operates a web server farm with 10 on-premise Red Hat Enterprise Linux servers and begins to transition to the cloud. Mid-way through the migration, five web servers are on Azure, and five on-premise. If tracking PCI compliance, the tool must generate a normalized view across both environments.

8: Container (Docker) Support

Docker technology has attracted the attention of many enterprise adopters -- if you are implementing containers either on-premise or as part of a cloud deployment, you need to ensure that their workloads are secure. And, if you bring in images from a registry, you need to ensure that these are not corrupted. Many of the same capabilities described in (6) apply here as well, such as hardening, scanning, and whitelisting. One way to look at container support is across a lifecycle that includes image scanning, run-time hardening, and security at the orchestration layer.

9: Cloud-agile Pricing

Reflecting the cloud compute and storage pricing model, it’s important to adopt a pricing model that has the exibility to meet changing requirements. This may involve a SaaS offering, or connecting the back-end of the platform to the cloud service provider’s billing engine, with an ability to charge to the minute. Alternatively, pricing may be abstracted but still agile, closer to the concept of committed and burst workloads, and analogous to a cellphone provider’s rollover-minutes model. In either case, this is a departure from existing static pricing.

10: Intelligence

Predictive analytics permits the platform to ‘predict’ the outcome of change, a ‘what-if’ analysis for con gurations and OSs, is crucial in today’s quickly changing environment. It is capable of bringing in data from 3rd parties via APIs to create a more correlated view of this change. Some customers describe this as a ‘virtual whiteboard.’

eBook = A Modern Approach to Securing Hybrid Workloads

 Did you know? 

  • Through 2020, 90% of cloud breaches will be due to customer misconfiguration, mismanaged credentials, or insider theft, and not cloud provider vulnerabilities
  • 89% of breached organizations had a firewall in place at the time of compromise
  • 70% of all healthcare data breaches were due to device theft or loss
  • In one case, a US health insurer experienced a data breach of millions of patient (PHI) records, with a direct cost of only 4% but a total exposure of $1.68B

Is there a way out?

We’re pleased to announce the availability of our eBook, ‘A Modern Approach to Securing Hybrid Workloads.’  It looks at how to build an architecture that is both continuous and agile for cloud infrastructure security, reducing the potential threat of a breach by providing a single, hybrid view, across private and public clouds.  We look at the following challenges facing CISOs, their IT staff, and DevSecOps, and outline solutions.

  • What are the challenges facing today’s CISO with regard to information overload and accountability?
  • Why continuous security is so critical in the cloud and for containers
  • The shared responsibility model and where enterprises trip up
  • Fundamentals of a cloud-native security architecture including micro-services and APIs
  • Operations including an AWS CloudFormation example
  • Container security and Functions as a Service
  • Ten Selection Criteria –
    • Flexibility
    • Extensibility
    • Responsiveness
    • Agility
    • Deep Discovery
    • Broad Policy Library
    • Real-Time Risk Scoring Across Infrastructure
    • Container (Docker) Support
    • Cloud-agile Pricing
    • Intelligence
  • Benchmark Development
  • Glossary and references for cloud security

Learn more - Pick up your copy today



Control Your Container

I’m happy to announce the availability of the latest benchmark addressing the container ecosystem – the Kubernetes 1.7 Security Benchmark.  Kubernetes 1.7 brings tons of security improvements. We, at CIS Kubernetes community, have been busy to give you an updated benchmark quickly. Download your copy from the CIS website.   For an additional perspective on the release and enterprise-scale capabilities, please check out the google blog.

This version of the benchmark has undergone changes to reflect the above improvements. Below is a quick summary.

Control Your Cloud

Petya'd?  Cavirin to the Rescue!

On the back of WannaCry, the latest ransomware of the week is GoldenEye, a variant of Petya.  First reported a few days back, it has already caused havoc within some very large organizations.  Maersk, for example, was impacted, and one of our engineers from Bangalore reported that 10 million containers at the port of Mumbai don't know where to go.  No, Docker isn't going to come to the rescue.  And you think an airline reservation system shutdown is bad!  What is disturbing to me is that four of the companies hit - Maersk, Me-Doc, Merck, and Mondelez - all start with 'M', and that it is mostly targeted against critical industries.  Today's ransomware attack is sponsored by the letter M.  Someone refining their attack vectors?

Control Your Cloud

A few days back, a security researcher came upon what is potentially one of the largest exposures to-date of Personally Identifiable Information (PII), but one that was so easy to prevent using the tools available.  Deep Root, a data analytics firm, had posted almost 200 million voter records to their AWS S3 database. This is the distributed offering leveraged by the majority of businesses and SaaS offerings that use AWS.  Note that this is also the same S3 that experienced a wide-ranging failure earlier in the year.  In this case, Deep Root set permissions on their database that would expose it unencrypted and with no password required to the outside world.  Just think what would have happened under GDPR if this occurred in 2018 within the European Union.

Cavirin provides security management across physical, public, and hybrid clouds, supporting AWS, Microsoft Azure, Google Cloud Platform, VMware, KVM, and Docker.



5201 Great America Pkwy Suite 419  Santa Clara, CA 95054

- 1-408-200-3544

Cavirin US Location