What is Continuous Cloud Compliance & How Can I Achieve It?

Continuous Compliance

Cloud compliance, like cloud security, is never a one-and-done activity. To be compliant, you need to demonstrate it continuously. Systems must be locked down properly, users must follow specific access policies, alerts must be working properly, and so on. If a server is spun up and unprotected, if a user gets too much privileged access, or if alerts are ignored, you can quickly become noncompliant.

So how do you maintain cloud compliance day-in and day-out amongst all your other priorities? In this post, we’ll outline several ways that you can ensure compliance organization-wide, even after the big audit is complete. Read more “What is Continuous Cloud Compliance & How Can I Achieve It?”

5 Cloud Security Tips for Emerging Tech Companies

True or false: Companies born in the cloud naturally understand security.

Young and tech-savvy companies running in the cloud often deal with the same cloud security issues as larger organizations that are moving to the cloud from legacy or on-prem solutions. In fact, the unique requirements of tech companies — like continuous development cycles and cutting-edge, rapidly evolving processes — can sometimes add even more complexity to security. If you fall into this camp, you may find this blog useful. In it, we’ve rounded up some of our best advice so you can learn how to strengthen your cloud security posture and start building out a cloud security strategy starting now, without a big drain on your budget and resources. Read more “5 Cloud Security Tips for Emerging Tech Companies”

Prevention Isn’t Enough. Why All Companies Need Detection Too

How would you know if your prevention methods failed to catch a critical threat? One of two ways: Either a customer, an auditor, or another third party would find out about it (an embarrassing situation for you) or  you could get lucky and find it yourself — which is rare without detection.

Prevention techniques and technologies (e.g., security controls, firewalls, encryption, antivirus), are designed to block an attacker from getting in, and can be critical to your security strategy. However, they can’t be the only defense you have in place. If history is any indicator (and we believe it is), attackers will find a way in. So, as a defender, you also need the ability to detect threats once they are inside your modern cloud infrastructure. That’s why companies are shifting their focus to detection techniques and technologies (e.g., monitoring, alerting).

In this post, we’ll explain what detection does that prevention cannot, what to watch out for if you’re relying on prevention alone, and how you can use them in parallel. Read more “Prevention Isn’t Enough. Why All Companies Need Detection Too”

Not Ready for Cloud Security? Here Are 5 Things You Can Do in the Meantime

If you are currently running an on-premise or hybrid environment with an eye to eventually making a complete transition to the cloud, you may be feeling a bit overwhelmed by everything that needs to change in order for your security posture to be appropriate for this new environment. In this post, we’re going to explain how you can start where you are, take small but meaningful steps, and still make important progress toward where you want to be — operating securely in the cloud.

Without trying to boil the ocean, here are five key steps you can take to gently kickstart your transition toward a fully secure, all-cloud environment, no matter where you are today. Read more “Not Ready for Cloud Security? Here Are 5 Things You Can Do in the Meantime”

5 Considerations for Evaluating a Cloud Security Solution

Many companies today are turning to cloud security solutions — from security monitoring platforms to orchestration tools to alerting systems — in order to manage both strategic and tactical security initiatives. Purpose-built technological solutions — especially if you’re a company with limited in-house expertise and resources — can help you stay on top of security without having to hire more people or add to your already long list of things to do.

Before choosing a cloud security solution, however, you need to take many considerations into account — some that focus on the solution itself, and others that focus more squarely on the provider of the solution (because, ultimately, you can’t separate the solution from the provider). In this post, we’ll cover some of the most important considerations. Read more “5 Considerations for Evaluating a Cloud Security Solution”

3 Key Points on How Vulnerability Management Can Help You Become Compliant

Two interesting observations:

The average number of days that attackers were present on a victim’s network before being discovered is 146 days. (FireEye)

At Threat Stack, we have observed that a majority of the market is moving toward automated security vulnerability and configuration scanning.


You would be hard pressed to come by a compliance framework that did not require you to have a system to detect and manage vulnerabilities. Vulnerabilities are as old as technology itself, so to call yourself compliant, you first need to demonstrate that you have a sound vulnerability management program in place.

Vulnerability management systems identify common vulnerabilities and exposures (also known as CVEs), alerting you when a server or package is at risk so you can patch it immediately.

Simply by having a vulnerability management program in place, you can often satisfy many other major compliance requirements. In this post, we’ll explain how vulnerability management helps you to become compliant. Read more “3 Key Points on How Vulnerability Management Can Help You Become Compliant”

Risk Acceptance & Business Payout

Key Takeaways From the Gartner Security & Risk Management Summit 2017

I just got back from the Gartner Security & Risk Management Summit with three key takeaways that I would like to share. Overall, industry leaders indicate that cybersecurity should be treated as a business function, not as a tax, and to achieve this, we need to base our security approach on:

  1. An attitude and culture of Risk Acceptance
  2. A Risk Management Methodology that enables us to detect and manage risk
  3. Effective alignment with the CEO and BoD by making risk-based decisions focused on business goals

Let’s get into the details. Read more “Risk Acceptance & Business Payout”

How to Prioritize Security Tasks When You Have Limited Resources

Many organizations have limited resources (time, personnel, and money) for IT, and oftentimes only a small portion of that is devoted to security. Given the limited resources available to create and execute a best practice security plan, you will need to face up to these constraints and prioritize security tasks.

But how, exactly, should you go about strategically prioritizing your security needs? How can you determine which aspects need to be addressed first and which can be dealt with later? After all, aren’t they all important? Read more “How to Prioritize Security Tasks When You Have Limited Resources”