5 Principles for Running Securely in a Multi-Cloud Environment

AWS has long ruled the cloud platform game. But today more and more companies are branching out and using additional providers as well. Often this isn’t a matter of replacing one with another, but of different business requirements (such as managing risk and costs) being suited to different cloud vendors. Other factors for using more than one provider center on the fact that vendors work to price their offerings competitively and continually add new features. Additionally, many organizations that run Windows are offered free Azure credits. So why not take advantage and reduce your overall cloud costs?

There’s nothing wrong with running a multi-cloud environment — in fact doing so may be part of a well-crafted strategy — but when you do so, you want to make sure that you are taking appropriate security precautions. In this post, we’ll cover five principles you should strive for when you make the move to a multi-cloud environment. But first, let’s take a look at the major players. Read more “5 Principles for Running Securely in a Multi-Cloud Environment”

5 Considerations for Evaluating a Cloud Security Solution

Many companies today are turning to cloud security solutions — from security monitoring platforms to orchestration tools to alerting systems — in order to manage both strategic and tactical security initiatives. Purpose-built technological solutions — especially if you’re a company with limited in-house expertise and resources — can help you stay on top of security without having to hire more people or add to your already long list of things to do.

Before choosing a cloud security solution, however, you need to take many considerations into account — some that focus on the solution itself, and others that focus more squarely on the provider of the solution (because, ultimately, you can’t separate the solution from the provider). In this post, we’ll cover some of the most important considerations. Read more “5 Considerations for Evaluating a Cloud Security Solution”

3 Key Points on How Vulnerability Management Can Help You Become Compliant

Two interesting observations:

The average number of days that attackers were present on a victim’s network before being discovered is 146 days. (FireEye)

At Threat Stack, we have observed that a majority of the market is moving toward automated security vulnerability and configuration scanning.


You would be hard pressed to come by a compliance framework that did not require you to have a system to detect and manage vulnerabilities. Vulnerabilities are as old as technology itself, so to call yourself compliant, you first need to demonstrate that you have a sound vulnerability management program in place.

Vulnerability management systems identify common vulnerabilities and exposures (also known as CVEs), alerting you when a server or package is at risk so you can patch it immediately.

Simply by having a vulnerability management program in place, you can often satisfy many other major compliance requirements. In this post, we’ll explain how vulnerability management helps you to become compliant. Read more “3 Key Points on How Vulnerability Management Can Help You Become Compliant”

Risk Acceptance & Business Payout

Key Takeaways From the Gartner Security & Risk Management Summit 2017

I just got back from the Gartner Security & Risk Management Summit with three key takeaways that I would like to share. Overall, industry leaders indicate that cybersecurity should be treated as a business function, not as a tax, and to achieve this, we need to base our security approach on:

  1. An attitude and culture of Risk Acceptance
  2. A Risk Management Methodology that enables us to detect and manage risk
  3. Effective alignment with the CEO and BoD by making risk-based decisions focused on business goals

Let’s get into the details. Read more “Risk Acceptance & Business Payout”

How to Prioritize Security Tasks When You Have Limited Resources

Many organizations have limited resources (time, personnel, and money) for IT, and oftentimes only a small portion of that is devoted to security. Given the limited resources available to create and execute a best practice security plan, you will need to face up to these constraints and prioritize security tasks.

But how, exactly, should you go about strategically prioritizing your security needs? How can you determine which aspects need to be addressed first and which can be dealt with later? After all, aren’t they all important? Read more “How to Prioritize Security Tasks When You Have Limited Resources”

5 Key Takeaways From DevOpsDays Austin 2017

Once again Threat Stack was pleased to be a sponsor and a participant at DevOpsDays Austin 2017 on May 4 & 5. Right off the bat it’s clear that this vibrant conference is continuing to expand, with its year over year increase in the number of attendees (650) and sponsors (40). Of particular note: The importance that people in the DevOps space are placing on security is definitely continuing to grow — and I put together five key observations about security, compliance, and the way DevOps teams operate. So without further commentary, here’s what I learned at DevOps Days Austin.

Read more “5 Key Takeaways From DevOpsDays Austin 2017”