Oftentimes companies wait until they grow to a certain size or have a full technology stack before they begin thinking seriously about security. The problem with this is that, statistically, it’s a matter of when you will have a security problem, not if.
So our observation is: If you wait until your company reaches some arbitrary milestone before implementing mature security practices, you may already be late to the game. (If you’ll pardon the obvious, it’s not a great practice to put your life jacket on after your boat gets in trouble; it’s much better to put it on at the very start — i.e., as soon as you board the boat.)
Security maturity actually has nothing to do with the size of your operations — and a great deal to do with how you manage the risk that is inherent in any environment. Even in the smallest companies, security can have a major impact. And we’re not just talking about implementing two-factor authentication or using VPNs (although these are, of course, important). We’re talking about the importance of starting to use a comprehensive approach to monitoring and protecting your infrastructure (on-prem, cloud, or hybrid) as early as possible.
The good news is, today you don’t need dozens of security tools or a major budget to start building end-to-end protection. But you do need to be smart about when and how you implement security. If you haven’t integrated security into your operations from Day 1, this post reviews four transformative events (planned or otherwise) that signal when it’s time to get serious about your organization’s cloud security maturity. Read more “When It’s Time To Put An Engine In Your Cloud Security Lifeboat”
Cloud security is a complex subject, and customers sometimes tell us that one of their biggest challenges is simply knowing where to start.
In our latest playbook, Jump Starting Cloud Security: A Guide to Starting Your Cloud Security Journey, we have addressed this problem head on. If your organization is just starting out in cloud security — whether it’s a rapidly growing startup or a more established company — this Playbook is intended for you.
It’s a roadmap full of industry-proven practices that will put you on the fast track to cloud security monitoring, addressing your first round of security concerns, and measurably improving your security stance, all in a reasonable amount of time for a reasonable outlay of money and resources.
The hand-on approach will help you implement important security practices without diverting resources and attention away from your company’s main business goals, and you’ll also end up with a solid platform to build on when you want to move up to the next level of maturity on the cloud security ladder. Read more “New Playbook: Jump Starting Your Cloud Security Journey”
In Part 1 of this post we explained how you can find all the secrets in your environment. In Part 2 we will discuss effective ways to store and manage secrets — to keep them from leaking to unauthorized people. Read more “Cloud Security Best Practices: Finding, Securing, & Managing Secrets, Part 2”
Secrets — passwords, API keys, secure tokens, private keys, and so on — protect access to sensitive resources in your environment. If not properly managed, they can end up in the wrong hands.
In Part 1 of this post, we will show you how to find secrets using truffleHog and git-secrets. In Part 2, we will explain how to manage them using appropriate software tools in order to quickly and cost-effectively achieve a higher level of security. Read more “Cloud Security Best Practices: Finding, Securing, & Managing Secrets, Part 1 — truffleHog & git-secrets”
This post offers valuable tips on how to easily assess how well your AWS environment is configured using Configuration Auditing. So, let’s get started…
What is a Cloud Security Baseline?
The phrase is bandied about a lot, so let’s get to it: What is a security baseline?
One of the problems that many organizations run into, especially when they are starting out in cloud security, is not knowing where to start and not having specific data to help them define and improve the status of their cloud security.
That’s where a baseline proves critical. CERN Computer Security defines a security baseline as “a set of basic security objectives which must be met by any given service or system.”
If you put this in the context of cloud security, a baseline will show you how closely a snapshot of your current cloud environment conforms to industry best practices and benchmarks.
This sounds a bit academic, so let’s get down to specifics by taking a look at Threat Stack Audit— the new product we are offering to help you establish and maintain a baseline. Read more “How Securely Configured is Your AWS Environment?”
As we stated in the introduction to this blog post series, our purpose is to give you insight into the issues you should address when you are at the early stages of establishing a cloud security program.
If your organization is just starting out on its cloud security journey — whether it’s a rapidly growing startup or a more established company — it’s important to develop a strategic security roadmap that’s suited to its early-stage maturity level. You should not reasonably expect to go from no security or rudimentary security to a full-blown, encompassing program in one step. It’s far better to take a graduated approach by defining objectives that will give you reasonable protection now, that won’t drain your budget and resources (and possibly divert critical resources and attention away from your company’s primary business goals) — and that will also serve as a rock solid platform to build on when you want to move up to the next level of maturity on the cloud security ladder.
What you need is an end-to-end roadmap that will get you started in cloud security monitoring, address your first round of security concerns, and noticeably and measurably improve your security stance, all in a reasonable amount of time and for a reasonable expenditure of money and resources.
And that’s exactly what we’ll do in this post: walk through five steps that will help you develop a strategic action plan that includes defined goals and is targeted at your organization’s specific maturity level, needs, and resources. Read more “Planning Your Cloud Security Program”
More and more companies are migrating to the cloud — and for good reason considering the many benefits such as speed, flexibility, and reduced costs.
One of the key questions that always comes up in this transition centers on cloud security. Not so much in the form of “Is the cloud secure?” but more in terms of “What is your company doing to make sure its infrastructure is secure?”
In the best scenario, companies include a cloud security service in their business plan on day one. In the worst case, they limp along for years without a strategically planned, comprehensive security roadmap that will provide real protection for their IP, data, systems, customers, and reputation.
In both cases, these organizations have one thing in common: Regardless of how long they’ve been in business, they are at an early stage of cloud security maturity. They are just starting out on their cloud security journey.
And that’s where we can help. Read more “Threat Stack Blog Series: Starting Your Cloud Security Journey”
Security maturity in the cloud is an important topic lately, from evolving security with existing DevOps practices, to automating security across your infrastructure, to getting the information you need to piece together what occurred when there is a security incident.
And at the same time, many organizations just don’t know where to start. Read more “Threat Stack’s New Packaging for Your Cloud Security Journey”