Over the last few years it has become amply clear that continuous and comprehensive configuration management is the key challenge in maintaining the security posture of your computing infrastructure and reducing the ever-present cyber risk, particularly as you adopt new technologies. We have seen in high-visibility breaches like Accenture, Dow Jones, CodeSpaces, and many others, that an overlooked configuration setting, or a “temporary” configuration change that gets forgotten can lead to massive data loss or worse.
Organizations know that consistent management practices are important, and have compliance processes (audits, training, and such) in place, particularly in regulation sensitive industries (finance, health care, retail). However, as organizations look to expanding their computational footprint from traditional on-premise IT infrastructures to the public clouds, we find that they run into four key challenges that, without adequate planning, cause significant impact to their cyber risk. We call these issues scale, novice-user risk, dynamics, and multi-cloud.
Scale: Industry experience has shown that as organizations migrate from traditional on-premise solutions, to private clouds and virtualization (using VMWare, for example), to public clouds (AWS, GCE, Azure), to containerization, the number of entities that need to be managed grows by an order of magnitude at each step. Infrastructures go from tens of physical servers, to hundreds of VMs in VMWare installations, to thousands of cloud servers, and tens of thousands of containers. Traditional manual management processes simply cannot scale. Organizations resort to sampling their infrastructure for compliance, picking a few percent of their servers at each compliance interval, leaving many more assets unconfigured. If each server has 100s of critical configuration parameters that need to be controlled, when multiplied by thousands of servers, the problem becomes unmanageable in any manual system.
Novice-User Risk: The overriding value of cloud architectures is the ease with which developers and organizational lines of business can access and set up new compute infrastructure. Compared to the months it normally takes to requisition and deploy a new physical server, an equivalent server can be provisioned on AWS in under a minute by anyone with the right credentials. This has led to the new paradigm of Cloud-DevOps where developers can spin up cloud assets, load the latest software modules on them, test them, and destroy or promote them to production. However, developers do not understand- or take shortcuts around- security paradigms in order to accelerate their work. Indeed most developers consider their CISO to be the “enemy” since the CISO is always saying “NO!” to anything they want to do.
Dynamics: Current industry statistics show that approximately 10M new VMs get created on the cloud every day with an average life span of 10 days to a month. This is in stark contrast to the traditional IT infrastructures where servers stayed in operation for three to five years (often without being rebooted). Clearly in such a dynamic world, quarterly audits lose relevance. An auditor has no access to the large number of servers that have come and gone during the quarter, and hence, can make no meaningful claims about the residual risk to the organization.
Multi-cloud: As enterprises take advantage of the public clouds, they soon discover that costs start ballooning. To manage costs, and to avoid lock-in to one particular cloud vendor, enterprises adopt a hybrid strategy where compute infrastructure is spread across two or more public clouds, along with some (usually critical) core on in-house VMs or bare-metal servers. Managing the security posture consistently across such diversity is a significant challenge, because no public cloud provider has any incentive to allow their security management tools to be operable on any competitive cloud — forcing organizations to choose between adopting a lowest-common-denominator approach across the platforms, or to adopt growing numbers of incompatible tools, each tailored to one of their environments.
Cloud Raxak’s award winning (Gartner Cool Vendor 2016) subscription-based security configuration management solution, available as a SaaS service or as an on-prem appliance, simplifies and automates the process of consistently applying 300-500 critical controls derived from international standards, comprehensively to your hybrid IT infrastructures (across all public and private clouds, an on-prem elements), continuously over the entire infrastructure lifecycle. We have shown our worldwide customers, that it can reduce customer cyber risk by over 95% while simultaneously reducing management costs by over 85%.
Visit https://www.cloudraxak.com for more information and for a free cybersecurity risk assessment to evaluate your enterprise’s infrastructure security posture.