A lot of folks have realized that manually fixing cloud infrastructure to correct security and compliance issues is just too slow and error prone to handle the threat landscape on the cloud. An increasingly common approach to speeding up remediation these days is to use cloud functions, such as AWS Lambda or Azure Functions, connected to a threat detection tool, to remediate specific cloud misconfigurations.
Yesterday, we showed you how you can use Fugue to scan your AWS infrastructure, discover what resources you have running, and identify any policy violations for compliance frameworks like HIPAA, GDPR, NIST 800-53, and the AWS CIS Benchmarks.
We’re thrilled to announce that Fugue is now offering a Software-as-a-Service solution for enforcing continuous cloud infrastructure compliance, is now available (start your free trial here). We’re at AWS re:Invent 2018 all week, so stop by booth 2305 to learn more.
Last week, Fugue released its Cloud Infrastructure Misconfiguration Report, which presents the results of our survey of more than 300 IT and security professionals from enterprise-level organizations. What surprised many of us at Fugue the most was the steep cost incurred by enterprises in their attempt to manage cloud misconfiguration, which is still largely a complex, manual process in an otherwise automated world of cloud. You can read more about that in The Cost of Cloud Misconfiguration Whack-a-Mole.
Today, Fugue released its Cloud Infrastructure Misconfiguration Report, which presents the results of our survey of IT and security professionals from more than 300 enterprise organizations. At Fugue we’re out to solve cloud misconfiguration, so we live and breathe this stuff every day. But even we were surprised by the survey’s findings. The risks due to cloud misconfiguration are generally acknowledged. 92 percent of respondents are concerned about these risks, and 82 percent reported security and compliance incidents resulting from them. The problem is so big, Gartner’s Neil MacDonald estimates that, by 2020, 80 percent of cloud breaches will be due to misconfiguration and human error. Yes, cloud misconfiguration risk is real. But what's the cost of managing it? That said, I’d...
Cloud infrastructure misconfiguration has emerged as the number one cause of data breaches in the cloud. Rather than application software vulnerabilities, it’s actually misconfigured network settings, firewall rules, storage access policies, and other cloud resources that put our data at most risk. We’ve talked a lot about the risk of cloud misconfiguration and why it’s critically important to have a Mean Time to Remediation (MTTR) for cloud infrastructure misconfiguration that’s measured in minutes, not hours or days. But why are cloud misconfiguration MTTRs more often measured in hours or days? And how many man-hours are teams wasting in their attempts to manage this problem? We work with a wide variety of enterprises using cloud at scale—from federal agencies to Fortune 500...
Organizations are excited about the cloud and what it can do for their business. Cloud computing offers the promise of services at elastic speed and DevOps teams are embracing the opportunity to innovate at speed and efficiently scale. The ability to easily bring up thousands of servers within minutes, however, also introduces security and compliance issues. Security and compliance issues are often neglected or avoided because of the perception that adding security will dramatically slow the pace of development. DevOps and security teams may seem to have opposing interests at times. Development teams who deploy apps in the cloud are used to moving fast and having the freedom to deploy whatever resources they need to accomplish their goals. They are not security and compliance...
DevOps provides IT enterprises with the ability to rapidly iterate on smart, fast software deployments. Relying on powerful version control and build tools like Github and Jenkins enables DevOps teams to save time and money by including development and operations in a single automated pipeline. However, in some DevOps environments, security is often neglected or avoided because of the perception that the security team will introduce inefficiencies and dramatically slow the pace of development. Bypass the unnecessary risks of this approach by integrating security directly into your DevOps pipeline. DevSecOps Provides Agile Security DevSecOps is established by placing security controls in every phase of your pipeline. Common best practices include: Training: Educate engineers to...
Launched in 2011, AWS CloudFormation was a game changer because it was one of the first template-based, infrastructure-as-code (IaC) tools that provided the ability to express the full cloud infrastructure stack as configuration files. It wasn’t limited to the OS layer like traditional configuration management tools. However, organizations that operate on AWS under strict security rules and compliance regimes (i.e., HIPAA, PCI, NIST 800-53) need to make sure their infrastructure is created in accordance with the applicable security and regulatory policies—and stays aligned in the face of constant change. The Risk of Cloud Misconfigurations, Drift, and Policy Violations IaC tools like CloudFormation (CF) were not designed to address security and compliance comprehensively, and they...
Last week, Fugue released its Cloud Infrastructure Misconfiguration Report, which presents the results of our survey of more than 300 IT and security professionals from enterprise-level organizations. What surprised many of us at Fugue the most was the steep cost incurred by enterprises in their attempt to manage cloud misconfiguration, which is still largely a complex, manual process in an otherwise automated world of cloud. You can read more about that in The Cost of Cloud Misconfiguration Whack-a-Mole. Today let’s focus on the risk that cloud misconfiguration brings to the enterprise, and what our survey reveals about the severity of the problem. In short, it’s bad. An overwhelming majority (93%) say they are “somewhat concerned” or “highly concerned” that their organization is at...