Cloud compliance, like cloud security, is never a one-and-done activity. To be compliant, you need to demonstrate it continuously. Systems must be locked down properly, users must follow specific access policies, alerts must be working properly, and so on. If a server is spun up and unprotected, if a user gets too much privileged access, or if alerts are ignored, you can quickly become noncompliant.
So how do you maintain cloud compliance day-in and day-out amongst all your other priorities? In this post, we’ll outline several ways that you can ensure compliance organization-wide, even after the big audit is complete. Read more “What is Continuous Cloud Compliance & How Can I Achieve It?”
How to compress Mean Time To Resolution (MTTR) and drive operational efficiency
Slashing MTTR is one way of shifting into a high-velocity security mode so your team can operate faster to drive innovation, scale, and create a strong competitive advantage.
Read more “Shifting to High-Velocity Cloud Security Operations”
Aligning security with your organization’s greater business needs is becoming increasingly important, but how do you actually do it? What it comes down to is being able to map security to business objectives. Done right, security can be a major business driver. Today, everyone from finance to DevOps to sales and engineering has security top of mind, at least if they know what’s good for them.
In this post, we’ll offer several ways to bridge the gap between security and the rest of the business, allowing you to successfully bring it into the organization in order to meet any number of business objectives. Read more “How to Align Security With Your Business Objectives”
Good security takes effort. But it’s not impossible — far from it. The key to achieving better security is to focus on embedding the right types of thinking early on. Make good security hygiene as natural as muscle memory. And before you start to worry about budget, take note: There are many low-cost, relatively easy measures you can take that will have a big impact on your organization’s security posture.
Recently, we hosted a webinar to outline what some of these low-cost practices look like. We want to show you that it isn’t impossible to achieve security on a budget, especially if you focus on implementing it collaboratively with your teams and building a truly security-conscious culture.
Here’s where we think you should be focusing your energies to achieve big results for little or no cost.
You can listen to the full webinar and read our recap below. Read more “12 Low-Cost Cloud Security Practices With Big Payoffs”
In an earlier post, we talked about how we implemented centralized authentication at Threat Stack. This project initially allowed us to create clearer access control for our servers. A side benefit of this work has allowed us to write tooling around common authentication processes.
One thing we’ve wanted to do is create an alert when folks are using a VPN to connect to one of our environments. In the event of a stolen laptop and stolen credentials, a user could be alerted to someone logging in with their credentials. With OpenVPN, performing actions on a client connect is possible using a client-connect script, so in the tradition of writing small Go applications to improve visibility, we did just that.
For the last few months our Slack bot VPN Notifier has been letting our engineers know when they connect into a Threat Stack environment. We’ve now done the work to open source the tool so that others can use and improve on it. We specifically mention improve, because our tool has limitations: The current version does extremely basic environment checking, and extremely basic alert suppression. Our hope is that we can collaborate with others who want to take this tool the extra mile. Read more “VPNNotify: A VPN Notification bot for Slack”
The absence of a common framework for assessing Cloud Service Providers (CSPs), combined with the fact that no two CSPs are the same, complicates the process of selecting one that’s right for your organization. To help you work through this, we’re using this post to discuss seven basic factors you can use to identify a provider that can best match your business, technical, and operational needs.
In this post, we’re going to assume that you will be relying on public cloud infrastructure. There’s no reason to DIY (which can be costly, complex, and frustrating) when there are experts who can do it far better (no offense!). The shared responsibility model is such that you should be able to rely on cloud service providers to take care of the cloud itself while you focus on what’s in the cloud (your data and applications).
So, how do you choose a public cloud provider? First, it’s helpful to know who the major players are today. Read more “7 Factors to Help You Choose the Right Cloud Service Provider”
Oftentimes companies wait until they grow to a certain size or have a full technology stack before they begin thinking seriously about security. The problem with this is that, statistically, it’s a matter of when you will have a security problem, not if.
So our observation is: If you wait until your company reaches some arbitrary milestone before implementing mature security practices, you may already be late to the game. (If you’ll pardon the obvious, it’s not a great practice to put your life jacket on after your boat gets in trouble; it’s much better to put it on at the very start — i.e., as soon as you board the boat.)
Security maturity actually has nothing to do with the size of your operations — and a great deal to do with how you manage the risk that is inherent in any environment. Even in the smallest companies, security can have a major impact. And we’re not just talking about implementing two-factor authentication or using VPNs (although these are, of course, important). We’re talking about the importance of starting to use a comprehensive approach to monitoring and protecting your infrastructure (on-prem, cloud, or hybrid) as early as possible.
The good news is, today you don’t need dozens of security tools or a major budget to start building end-to-end protection. But you do need to be smart about when and how you implement security. If you haven’t integrated security into your operations from Day 1, this post reviews four transformative events (planned or otherwise) that signal when it’s time to get serious about your organization’s cloud security maturity. Read more “When It’s Time To Put An Engine In Your Cloud Security Lifeboat”
Security has always been about accepting and managing risk. It’s not about becoming the most secure company; its goal is to protect against likely threats to your unique organization. But how do you know when a new risk crops up? And how can you stay on top of this in a rapidly changing cloud environment with more endpoints to monitor?
Fortunately, the cloud doesn’t just introduce new risks. It also offers new opportunities for successful risk management. And while managing risk in the cloud may seem overwhelming, it can actually become a lot more streamlined if you do it right. In this post, we’ll explain how risk management is different in the cloud and how you can adapt with a few simple shifts to your current approach. Read more “How to Adapt Your Risk Management Strategy for the Cloud”
True or false: Companies born in the cloud naturally understand security.
Young and tech-savvy companies running in the cloud often deal with the same cloud security issues as larger organizations that are moving to the cloud from legacy or on-prem solutions. In fact, the unique requirements of tech companies — like continuous development cycles and cutting-edge, rapidly evolving processes — can sometimes add even more complexity to security. If you fall into this camp, you may find this blog useful. In it, we’ve rounded up some of our best advice so you can learn how to strengthen your cloud security posture and start building out a cloud security strategy starting now, without a big drain on your budget and resources. Read more “5 Cloud Security Tips for Emerging Tech Companies”
At the beginning of this year, Gartner projected that the global public cloud services market would grow to $246.8 billion in 2017, up 18% from $209.2 billion in 2016. Given the many high-value benefits it promises, it’s no wonder that moving to the cloud is the holy grail for many organizations.
When the decision to migrate is based on the right reasons, and when a migration is planned and managed according to proven best practices, the results can fundamentally transform an organization’s business model and create major competitive advantages. But migrating is a complex process, and if best practices aren’t followed, the promises of the cloud can remain out of reach or be delivered in a sub-optimal manner.
To make sure your migration gets off to a strong start, we are releasing our latest eBook — Moving to the Cloud? Your Guide to Planning a Secure and Frictionless Migration.
Read more “New eBook: Moving to the Cloud? Your Guide to Planning a Secure & Frictionless Migration”