Get My Score

DevOps

Azure Hardening

 

This morning, Cavirin announced the near-term availability of the new CIS Microsoft Azure Foundations Benchmark.  The document is expected to be generally available within the next week or two, but why wait?  It is available today to anyone with CIS access, and is a milestone for public multi-cloud security as a foundational and prescriptive guideline for organizations to establish a healthy security posture in Azure Cloud investments.  This is the first hardening benchmark for Azure, completing an earlier available benchmark for AWS, also supported by Cavirin.  To address any confusion, other cloud security vendors do offer a view into one’s Azure security posture via published APIs.  We do the same, but the CIS Benchmark takes a different approach to uncover a deeper level of understanding.

The availability of the new CIS Benchmark is critical in securing hybrid cloud environments.  CNBC recently reported that AWS held a 62% market share for public cloud deployments, a drop from 68% a year earlier.  In the same timeframe, Azure jumped from 16% to 20%.  More importantly, ESG states that by the end of 2018, 81% of enterprises in the cloud will deploy on more than one provider. Cavirin’s goal is to enable hybrid cloud security, offering an organization a single, correlated view of their security posture across multiple public clouds, as well as on-premise.  This is very different from a simpler multi-cloud deployment that looks at each cloud in isolation, ‘clouds in the night’ if you will.

The recommendations fall into eight areas:

  • Identity and Access Management
  • Security Center
  • Storage Accounts
  • SQL Services
  • SQL Databases
  • Logging and Monitoring
  • Networking
  • Virtual Machines
  • Other Security Considerations

0
0
0
s2sdefault
DevOps automation

Earlier today, Bashyam Amant, our Sr Director of PLM, and Vaidehi Rao, our Director of Engineering, hosted a webinar entitled ‘Full-Stack Container Security,’ borrowing for the container space a (sometimes confusing) term familiar to many of you.  One of the best definitions, and a good jumping-off point, is at codeup:

‘A full-stack developer is simply someone who is familiar with all layers in computer software development. These developers aren’t experts at everything; they simply have a functional knowledge and ability to take a concept and turn it into a finished product. Such gurus make building software much easier as they understand how everything works from top to bottom and can anticipate problems accordingly. In our opinion, this is the most realistic definition of a full-stack developer.’  For those looking for even more history on the topic, the turtles end at FB.

Extending this paradigm to containers and Docker, in our view, and in order to have a complete awareness as to how your container deployments impact your overall security posture, you must have tools that look at each ‘layer’ of the ‘stack’ while at the same time offering a unified vs a disjointed view. 

0
0
0
s2sdefault
cloud DevSec Ops

Devops Security Automation plays a key role in DevSecOps

Check out the executive viewpoint, “It’s Time to Stir Security into the DevOps Mix”, posted on the Security Current Web site earlier this month.  The article highlights the fact that creating secure software and systems has never been more challenging as the number of devices that hook into company data, coupled with increased mobility and a shift to cloud services and storage, has dramatically increased the potential attack surface of most organizations.  These organization changes require the adoption of a new approach–chiefly breaking down barriers, boosting collaboration, and increasing automation works—often referred to as cloud DevSecOps.  In the article, we emphasize three key ingredients necessary to pursue cloud DevSecOps.

0
0
0
s2sdefault

Big Data aficionados should be familiar with data volume, velocity and variety as the key pillars that distinguish modern analytics environments from the prior generation. A similar trend is taking shape in infrastructure security with the adoption of public clouds and micro services architectures, significantly complicating the Security Operations (SecOps) job.

According to Datadog, there are 185 million Docker containers in use across 10,000 companies or 18,500 containers per company on average, for those that do use Docker! If this is any harbinger of scale, SecOps teams will continue to have a lot on their hands. Automated profiling and management of risk is the only way to secure an environment with such volumes. 

Several company’s DevOps organizations, are pushing code as often as several times a day – Amazon.com, for example, deploys every 11 seconds (see Velocity Culture). Compound that with the desire to optimize costs via auto-scaling approaches. The average container lifecycle is 2.5 days while the average virtual machine lasts 14 days, likely reflecting the transient nature of auto-scale workloads. An inadvertent configuration change or a vulnerable package in a high velocity continuous deployment can jeopardize your security posture. Active monitoring of infrastructure and timely remediation of gaps in security are keys to SecOps success.

According to Forbes citing RightScale’s 2017 State of the Cloud Survey: “85% of enterprises have a multi-cloud strategy today, up from 82% in 2016, 58% are planning a hybrid cloud strategy, up from 55% a year ago. RightScale also found an increase in the number of enterprises planning for multiple public clouds (up from 16% to 20%)”.

SecOps = Secure Hybrid Infrastructure  

 

0
0
0
s2sdefault

From minimal use just a few short years ago, containers, and most notably Docker, has gained nearly 30% penetration. This container penetration is primary with DevOps; but it crosses production environments and all sizes of environments. Unfortunately, with early adoption there was less of a focus on security. This has been rectified over the past year or so, with security solutions for images, containers, and orchestration now available. However, any container security solution must be agile enough to echo the speed at which containers are created and destroyed if the chance of a breach is to be minimized. Legacy scanning architectures won’t suffice. 

0
0
0
s2sdefault
Control Your Cloud

This is the sixth blog in a series detailing workload best practices.

The first blog, 'Securing Modern Workloads', is available here

The second blog, 'Control Your Cloud', is available here

The third blog, 'Agility in Security', is available here

The fourth blog, 'Work Everywhere with Hybrid Solutions', is available here

The fifth blog, 'Security as you Go', is available here

-------------------

You have often heard about companies budgeting for compliance certifications. Each year, businesses budget for audits and achieving vertical specific compliance certification and authority to operate. These budgets are non-trivial and usually are spent in short-periods of time rather than throughout the year.

There is a confusion over agility and reality.


Businesses demand a rapid pace (agility) but at the same time must deal with compliance (reality).


A typical scenario is that during audits, the budgets are spent in a hurry to ensure that security controls are in place and not to miss the compliance certificate. This approach is potentially flawed. Compliance should be treated as a by-product of security. Good security measures and spending ensure that you have the necessary controls in place and those controls are functioning as intended. Such security measures help you get compliance certificates. Additionally, it ensures a uniform security posture throughout the year and not spikes at audit times to avoid fines and problems.

Your hybrid cloud strategy demands that you pay attention not only to on-premise workloads but also to your extended or shadowed datacenters.


You quickly tend to acquire cloud-specific tools (agility) and then invest in staff to maintain two set of tools (reality).


The applications and tools that you use for on-premise workloads may not deal with the realities of cloud. The flux and dynamicity of the cloud demands tools that can match the realities of hybrid workloads. Today your compute/storage/networking resources are fragmented between cloud and on-premise. This is your new reality. Your legacy as well as modern applications have security requirements and it is pointless to maintain footprint specific tools anymore. You benefit from streamlining your tools that work seamlessly on both the footprints.

You have convinced the management to transform your security tools and processes to match cloud and on-premise needs and you are ready to evaluate your options.

0
0
0
s2sdefault

© 2018 Cavirin Systems, Inc. All rights reserved.