Group Fines Under the GDPR

All Things Compliance
4 Min Read

How Multinational Companies May be Affected by Their Subsidiaries’ Noncompliance

Introduction

— by Lindsey Ullian, Threat Stack Compliance Manager

Preparing for GDPR was similar to preparing for Y2K — heads down grinding with anxiety running high, only to find that May 25th came and went without a peep. So what was all that hard work and worry for, anyway? What drove all the privacy emails and data inventorying within companies? In all honesty, it was most likely driven by the high consequences that a company might suffer as a result of noncompliance. But just because your company is now “GDPR ready,” does that mean you’re safe from heavy fines?

Not necessarily. The noncompliance of other companies just might make you vulnerable.

In this post, Kevin Kish, Privacy Technical Lead with Schellman & Company, explains how you may be affected by your subsidiaries’ noncompliance and how you can manage the risk.
 Read more “Group Fines Under the GDPR”

How to Develop an Incident Response Plan for Your SaaS Business

Security Research & Strategy
6 Min Read

According to a 2018 IBM study on cybersecurity resilience, 77 percent of firms surveyed lack proper incident response plans, while 69 percent report insufficient funding for cyber resiliency. Where does your organization stand on this critical issue?

It’s best to accept that it’s not a matter of if your SaaS organization will encounter a security incident at some point in its lifetime but rather when. Operating within today’s security landscape, the time to “when” is shrinking daily. Therefore, it’s critical to develop a strong Incident Response Plan (IRP) before a threat hits, so you’re in a position to respond quickly and effectively.

In this post, we’ll walk you through the basic steps of putting an IRP in place so you can stay in control when an incident inevitably occurs and thereby reduce disruption, damage, recovery time, and costs. Read more “How to Develop an Incident Response Plan for Your SaaS Business”

50 Essential Cloud Security Blogs for IT Professionals and Cloud Enthusiasts

AWS Security, Security Research & Strategy
16 Min Read

With revenue from the cloud computing sector expected to hit $411 billion by 2020, it’s no wonder that more and more companies are shifting their services to the cloud where flexibility and speed make it attractive for organizations looking to leverage a strong competitive edge. But operating in the cloud also gives rise to a range of security concerns.

We’re doing our part with the Threat Stack Cloud Security Platform® and our newly launched Threat Stack Cloud SecOps Program℠. And since we believe that informed people make better decisions, we’ve made it part of our mission since day one to pass on reliable security information through the Threat Stack blog. Given the rapid pace of change in cybersecurity — along with the growing need to deal with infrastructure in transition as organizations build and manage increasingly sophisticated tech stacks — current, expert content is essential to good security.

Now, as proud as we are of our own blog, there’s a huge amount of excellent information produced by other organizations. So in this post, we’ve compiled details on fifty leading blogs that help professionals stay abreast of the latest news, information, and technologies related to cloud security. Read more “50 Essential Cloud Security Blogs for IT Professionals and Cloud Enthusiasts”

Infrastructure in Transition: Securing Containers

Containers, Orchestration & Security, Security Research & Strategy
3 Min Read

Organizations are migrating from virtual server workloads to containers at a frenzied pace, buying into the increasingly popular technology and taking advantage of containers’ many benefits in terms of agility. The application container market is set to explode, according to 451 Research: Annual revenue is expected to increase by 400% over a period of five years, growing from $749 million in 2016 to more than $3.4 billion by 2021.

It’s not hard to see why. Containers are simple to deploy and provide users with greater operational flexibility and compute density, resulting in an optimized build pipeline. Turning to a container orchestration platform, such as Kubernetes, removes an additional layer of operational complexity for even greater ease of deployment and management.

However, a transition in infrastructure is never simple, and along with the advantages come new security challenges. In this post, we’ll discuss some of the risks you should consider before diving headfirst into a container environment, as well as some solutions for mitigating them. Read more “Infrastructure in Transition: Securing Containers”

Q&A With Pat Cable: How Threat Stack Secures Evolving Infrastructure

Containers, Orchestration & Security, Security Research & Strategy
4 Min Read

With the popularity of container environments on the rise, we’ve seen many Threat Stack customers undergoing infrastructure transitions of late. Whether they’re deploying containers for the first time or moving to container orchestration platforms, the shift is one that requires careful consideration when it comes to security. Often, however, organizations just don’t know where to begin in terms of integrating security with their evolving infrastructure.

Recently, I sat down with Pat Cable, Threat Stack’s Senior Infrastructure Security Engineer, to get his point of view on the challenges posed by evolving infrastructure and how Threat Stack can help ensure a secure transition. Read more “Q&A With Pat Cable: How Threat Stack Secures Evolving Infrastructure”

24 DevOps Pros Reveal the Most Important Characteristic of a Successful DevOps Engineer

Dev & DevOps Knowledge, Security Research & Strategy
14 Min Read

There’s no precisely defined career track for DevOps engineers because they’re typically developers or sysadmins who develop an interest in other aspects of operations — such as network operations, deployment, or coding and scripting. Yet with more companies turning to DevOps to deliver products and updates more rapidly, there’s a growing demand for these multi-faceted professionals, and they’re playing an ever-more prominent role in modern companies.

Without a clear-cut career track to lead to a role as a DevOps engineer, companies hire and promote these professionals based on past experience and skillsets. But what characteristics are most important to ensure success as a DevOps engineer? To gain some insight into the skills, talents, and traits that today’s top DevOps engineers need in order to succeed, we reached out to a panel of DevOps pros and engineers and asked them to answer this question:

“What is the most important characteristic of a successful DevOps engineer?”

Read more “24 DevOps Pros Reveal the Most Important Characteristic of a Successful DevOps Engineer”

How to Transform Alert Fatigue Into Proactive Security Management — 4 Must-Read Blog Posts

Security Research & Strategy
5 Min Read

The cybersecurity talent shortage is real, with an estimated 1.8 million unfilled roles expected by 2020. And with 72% of CISOs claiming that their teams are facing alert fatigue, there’s not a lot of margin for error when it comes to getting accurate, context-rich alerts in front of under-resourced teams.

Traditional approaches to managing security alerts have often driven teams into a reactive mode where they’re overwhelmed by huge volumes of alerts or spend way too much critical time gathering information and digging around in log files. If this proliferation of data can be transformed into actionable intelligence, however, teams can become significantly more proactive and reduce risk over time.

Today, we’ll take a look at four must-read Threat Stack blog posts that provide great advice on how you can more away from reactive, ad hoc tactics and adopt a more structured, proactive approach by making alerts a key element of your overall information security strategy. Read more “How to Transform Alert Fatigue Into Proactive Security Management — 4 Must-Read Blog Posts”

GDPR: What Compliance Says vs. What DevOps Hears

All Things Compliance, Dev & DevOps Knowledge
3 Min Read

The deadline for the General Data Protection Regulation (GDPR) is fast approaching, with May 25 marking the official day of reckoning. The updates to the data protection directive of 1995 (Directive 95/46/EC) are designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy rights, and to reshape the way organizations across the EU approach data privacy.

There’s a likelihood that Compliance has approached your DevOps team to get on board. But when Compliance talks, what do you hear? Are you truly understanding what’s required of you to become GDPR compliant? Let’s take a look at some of the possible gaps in knowledge below. Read more “GDPR: What Compliance Says vs. What DevOps Hears”

SLDC, SOC 2, and Other Four Letter Words

Dev & DevOps Knowledge
6 Min Read

Developers gonna develop. That’s why we’re developers. We want to set some implementation goal and then make that a reality. We like to stay heads down and focus on the immediate task at hand. Unfortunately, this can sometimes cause collateral damage. Secondary objectives can get ignored or even trampled in the race to meet the primary target. It’s also likely that other promising developments will get missed as they fall off the main path. Dealing with these issues is one of the many functions of compliance regulations.
 Read more “SLDC, SOC 2, and Other Four Letter Words”

21 InfoSec and AWS Experts Reveal the #1 Mistake Companies Make When It Comes to AWS Security (and How to Avoid It)

AWS Security, Security Research & Strategy
15 Min Read

More companies are moving to the cloud than ever before. Amazon Web Services (AWS) is one of the most popular cloud platforms, and for good reason: AWS provides a robust set of features and services that give it broad appeal among businesses of all sizes. But when it comes to security, many companies continue to fall short, putting their sensitive data at risk. In a recent Threat Stack study, for example, we discovered that 73% of companies have at least one critical AWS security misconfiguration that enables an attacker to gain access directly to private services or the AWS console, or that could be used to mask criminal activity from monitoring technologies.

To gain some insight into the biggest (and potentially most devastating) mistakes companies are making related to AWS security as well as tips and strategies for avoiding them, we reached out to a panel of InfoSec pros and AWS experts and asked them to answer this question:

“What’s the number one mistake companies make when it comes to AWS security (and how can they avoid it)?”

Read more “21 InfoSec and AWS Experts Reveal the #1 Mistake Companies Make When It Comes to AWS Security (and How to Avoid It)”