Get My Score

Agility in Security

Control Your Cloud

This is the third blog in a series detailing workload best practices.

The first blog, 'Securing Modern Workloads', is available here

The second blog, 'Control Your Cloud', is available here


A lot is being talked and written about agile practices and how they are transforming various aspects of modern IT. Agility in security, a.k.a. SecDevOps or DevSecOps or SecOps or Security Orchestration or Security Automation, is getting called out as well.

Let’s see what we are doing in this space. 

  • Security Assessment of CloudFormation Deployments
  • Vulnerability and Compliance assessments for Docker Containers
  • API endpoints for integrating with backward-integration and forward-integration 

Security Assessment of CloudFormation Deployments

AWS CloudFormation is the cornerstone of IT stack deployments. You may leverage  AWS Quick Starts to build a secure and compliant cloud infrastructure. Quick starts, such as PCI Quick Start, come with a pre-built-in template that you may use to deploy a PCI compliant infrastructure. AWS lays out the Shared Security Responsibility Model for PCI.

AWS does most of the work in the CloudFormation templates, but there are over 36 PCI DSS requirements that require customers to take care of their PCI deployments in AWS based on the above Shared Security responsibility model. Not only this, you could begin with the CloudFormation templates for PCI but you also need to ensure that once your stack is up, you have a mechanism to track unauthorized changes and infringements. CloudFormation ensures point-in-time compliance but you will also need period-in-time compliance (continuous).

We take these Quick Starts and map each of your responsibilities to an AWS capability and configuration item. For example, in the Quick Start above, AWS has identified that section 8.2.3 is customer’s responsibility to configure and not something that can be done using CloudFormation templates at the moment.

One such example is below:

Not only this, but also wherever security configuration is set by CloudFormation, we map those requirements as well, so that you can continuously monitor your PCI stack (period-in-time compliance).

So, when you use AWS CloudFormation templates for building your PCI stack, our solution comes in handy to cover your PCI responsibilities and continuously monitor your PCI deployments in accordance with the CloudFormation templates. So, you could leverage the CloudFormation and agility and security agility comes in along with it from us – all ready for you to just plug-n-play.

Vulnerability and Compliance Assessments for Docker Containers

Everyone, who is adopting container agility seriously, is looking for a mechanism to tie the image vulnerability assessment in her agile CI/CD process. We have taken this one step further. We not only provide you with the vulnerability assessments but also our in-house developed 25-security checkpoints that assess your image for common security misconfiguration as applicable for Docker Images.

You can then use the REST APIs such as above to point to your Docker image and then utilize the JSON response to take build or break decisions.

API endpoints for integrating with backward-integration and forward-integration

We have 2-way API integrations on our platform –

  • backward-integration, where we pull the data from a source
  • forward-integration, where we push the data to a destination

Backward integration is with respect to various monitoring capabilities such AWS CloudWatch or GCP Stackdriver. Here we pull the respective data and integrate it with our security dashboards in a meaningful and comprehensive way.  You are open to choose any other source for your data and we could just pull it through. Another area where backward integration help is if you are using identity vaults such as CyberArk. You could hit the CyberArk APIs to pull the authentication tokens and carry out the required security assessments.

Forward integration is where we can feed the security assessment results to a particular destination of your choice. This could be a Chef server for calling remediation recipes or Pagerduty for sounding alarms. Another area could be integrating with Zendesk or JIRA to open security tickets automatically and kicking off the security process. 

Security agility is important when you embrace your cloud journey. Increasingly you are finding it hard to spend time on security issues that requires hours and hours of analysis and reporting. Agile security practices automate your efforts and help you spend time on security areas that demand your immediate attention.




© 2018 Cavirin Systems, Inc. All rights reserved.