Whose Fault is That? How NOT to Be a Cloud Security Statistic

Gartner predicts that 95% of cloud security failures from now until 2020 will be the customer’s fault. That means when something goes wrong, it’s probably not AWS or Azure’s fault. Chances are, you have to point the finger at your organization.

Or — better yet — you could take the necessary and proactive steps to minimize the likelihood that you’ll become one of the cloud security failures. The good news is that it’s pretty easy to find out what you need to do. Below we’ll outline the steps to make sure that you stay out of the headlines and out of the statistics. Read more “Whose Fault is That? How NOT to Be a Cloud Security Statistic”

5 Considerations for Evaluating a Cloud Security Solution

Many companies today are turning to cloud security solutions — from security monitoring platforms to orchestration tools to alerting systems — in order to manage both strategic and tactical security initiatives. Purpose-built technological solutions — especially if you’re a company with limited in-house expertise and resources — can help you stay on top of security without having to hire more people or add to your already long list of things to do.

Before choosing a cloud security solution, however, you need to take many considerations into account — some that focus on the solution itself, and others that focus more squarely on the provider of the solution (because, ultimately, you can’t separate the solution from the provider). In this post, we’ll cover some of the most important considerations. Read more “5 Considerations for Evaluating a Cloud Security Solution”

Why Docker Can’t Solve All Your Problems in the Cloud

Docker and other container services are appealing for good reason. They are lightweight and flexible. For many organizations, they enable the next step of platform maturity by reducing the needs of a runtime to the bare essentials (at least, that’s the intent).

When you dig into the benefits afforded by containers, it’s easy to see why so many companies have started projects to:

  • Containerize their apps and supporting services
  • Achieve isolation
  • Reduce friction between environments
  • Potentially improve deployment cycle times

The software development pattern of small things, loosely coupled, can go even further with an architecture built around containerization. We’re big fans at Threat Stack, and continue to invest in supporting our customers who rely on them. In fact, we recently announced official CoreOS support for our agent.

However, we have discovered that there is no shortage of misunderstandings about Docker (no surprise given the rapid growth and pace of change) and other container services in terms of:

  • How their benefits are realized
  • The impact on infrastructure/operations
  • The implications on overall SDLC and Ops processes

Containers certainly offer plenty of benefits, and it makes good sense to explore whether and how they could work for your organization. But it is also a good idea to take off the rose-colored glasses first and approach this technology realistically. Read more “Why Docker Can’t Solve All Your Problems in the Cloud”

How Companies Can Provide Security Transparency to Customers and Prospects

Leveraging Security in the Sales Process

Security is more than just a good business practice. It also serves as insurance for your customers that security is a top priority. With the right protections in place, you demonstrate that their data will be safe with you, and this can accelerate the sales cycle. But without good security, sales cycles can drag on or even grind to a halt. Of course, you need to start by having the right security technologies, processes, and personnel in place. Then, you need to be able to convey all of this to prospective and current customers.

In this post, we’ll explain what you need to do to guarantee robust security and how you can communicate this to customers and prospects, giving them visibility into your security measures. Read more “How Companies Can Provide Security Transparency to Customers and Prospects”

Risk Acceptance & Business Payout

Key Takeaways From the Gartner Security & Risk Management Summit 2017

I just got back from the Gartner Security & Risk Management Summit with three key takeaways that I would like to share. Overall, industry leaders indicate that cybersecurity should be treated as a business function, not as a tax, and to achieve this, we need to base our security approach on:

  1. An attitude and culture of Risk Acceptance
  2. A Risk Management Methodology that enables us to detect and manage risk
  3. Effective alignment with the CEO and BoD by making risk-based decisions focused on business goals

Let’s get into the details. Read more “Risk Acceptance & Business Payout”

73% of Companies Have Critical AWS Security Misconfigurations

Threat Stack Delivers Wake Up Call

Wide open SSH and infrequent software updates among top risks identified in the majority of cloud-based environments

How effective are your AWS security configurations? And how do you know for sure?

In a recent eye-opening study, Threat Stack found that 73% of companies have at least one critical security misconfiguration, such as remote SSH open to the entire internet. By “critical”, we mean configuration lapses that enable an attacker to gain access directly to private services or the AWS console, or that could be used to mask criminal activity from monitoring technologies.

If we caught your attention with that opening statistic, please read on. Read more “73% of Companies Have Critical AWS Security Misconfigurations”

Calculating TCO: The Real Cost of Cloud Security

This post examines the total cost of ownership (TCO) of a cloud security system, not in terms of the actual dollars and cents cost of a system, but in terms that will help you identify and understand the many hidden costs associated with accurately calculating the TCO for cloud security.

In essence, we want to show you some of the areas that would require a significant investment if you were to build, operate, and maintain a system with capabilities similar to Threat Stack’s Cloud Security Platform®. This, in turn, should help you make an informed decision as you go about selecting a cloud security solution that is appropriate for your organization.

Note: We use “build” in a broad sense in this post, from building a system from scratch, to leveraging open source tools, to creating integrations among multiple point solutions. Read more “Calculating TCO: The Real Cost of Cloud Security”

How to Prepare Your Company Culture for Its First Security Hire

We often think of security as a technology problem. But at its core, security is and always has been a people problem. You can have the fanciest security tools up and running, but if your organization is full of happy clickers, you still have a problem on your hands.

For this reason, the more that security is a part of your company culture, the better off you will be when it comes to standing up to today’s threats. Read more “How to Prepare Your Company Culture for Its First Security Hire”

Boston-Based Venture Capitalists Weigh in on the Importance of Cybersecurity

At Threat Stack we have developed best practices around cloud security — when it should be introduced, what it should cover at each stage of the security maturity lifecycle, whether a company should build or buy — and so on.

But we always want to hear what other experts have to say. So we recently asked two leaders in Boston’s VC community — Greg Dracon of Boston’s .406 Ventures and Gaurav Tuli, of F-Prime Capital Partners — to share some of the security-related insights they’ve gained from their extensive experience guiding start-up and early-stage companies to success over the years.

Without further commentary, here’s what Greg and Gaurav had to say . . . Read more “Boston-Based Venture Capitalists Weigh in on the Importance of Cybersecurity”

How to Answer Your Board’s Tough Security Questions

Picture the scene: You’re at the monthly board of directors meeting when someone asks, “So, what are you guys doing about security?”

Even two years ago, a CSA survey found that security was a board-level concern at 61% of companies.  Why?

High-profile breaches have certainly made everyone conscious of cyber security issues, and as awareness and knowledge have grown, boards have begun to take a direct interest in the security of the companies they have invested in. Given that there are very real monetary and reputational consequences to a security breach,  board members want to know what steps you are taking to prevent one. Read more “How to Answer Your Board’s Tough Security Questions”