How to Secure Public Cloud and DevOps? Get Unified Visibility.

One of the most transformative changes in the IT industry over the last decade has been the adoption of public cloud (IaaS) services such as AWS, Azure and GCP.

Public clouds are more than “just” running servers in a remote data center. They’re all about using infrastructure as code. This means that the various building blocks they offer – storage services, virtual machines and containers – as well as the underlying network can all be modified via calls to the public cloud APIs. Companies using public clouds gain enormous velocity and elasticity advantages, which have, in turn, fueled the emergence of DevOps.

For all its advantages, public cloud and DevOps adoption also means the use of many new technologies – and a drastic increase in the velocity of change across the attack surface. This leads to reduced visibility into the infrastructure itself and often more complexity, which tends to be the enemy of security.

Cybersecurity starts with cyber hygiene

We believe that security starts with effective cyber hygiene – making sure every bit of the computing infrastructure is accounted for, configured properly and up-to-date. Keeping an eye on the state of the infrastructure and making sure it’s up-to-date reduces the cyberattack surface dramatically. After all, 99% of vulnerabilities exploited today are ones known by security for at least 12 months.

However, cyber hygiene is difficult to maintain in the dynamic world of public cloud. Many security teams we’ve talked to don’t know what’s running, let alone how up-to-date and tightly configured these components are.

Look no further than the many problems stemming from the misuse of public cloud infrastructure, such as default SSH credentials.

Public cloud is a boon to security

In spite of these high-profile incidents, we consider the disciplined use of public cloud as a boon to security – as long as DevOps methodologies and technologies are used wisely. Immutable containers, microservices and automated security testing can actually improve an organization’s level of security.

But, many security solutions are built with physical, on-premise data centers in mind – not with the vital levels of scale and visibility required for public cloud. Security teams need this scale and visibility to keep track of what’s happening in their public cloud infrastructure. It also provides the necessary background and data to properly engage with the DevOps teams – enabling what many in the industry refer to as DevSecOps.

Cyber Exposure: Providing greater visibility into cloud security

The discipline of Cyber Exposure will help security leaders embrace DevSecOps principles to manage and measure the cyber risk of public cloud infrastructure. Traditional vulnerability management practices must evolve to provide greater visibility into cloud security through:

• Live discovery and continuous monitoring of cloud assets
• Integration between the static and dynamic scanning of cloud assets across the software development lifecycle
• Automated, seamless workflow integration with DevOps

Today, we’re excited to announce new and important product capabilities in Tenable.io to help you embrace the use of public cloud:

• New Cloud Connectors for Microsoft Azure and Google Cloud Platform: Continuously discover and track asset changes in Azure and GCP cloud environments to ensure all cloud workloads are known and assessed for vulnerabilities. Together, with the existing Cloud Connector for AWS, these new connectors provide a unified view of cybersecurity risks across the top three most widely deployed public cloud (IaaS) platforms.
• New container runtime scanning in Tenable.io Container Security: Gain visibility into the Cyber Exposure of containers running in production. This important product enhancement is enabled by the combination of Tenable.io Container Security and Tenable.io Vulnerability Management working together to seamlessly integrate security into the end-to-end DevOps process – from build to production.
• New web application discovery in Tenable.io Web Application Scanning: Identify web applications owned and deployed across an organization, including previously unknown applications, to understand Cyber Exposure throughout your web application estate. This new capability solves a critical visibility challenge – the number of web applications deployed is often much higher than what the security team is aware of.

We’re thrilled with the growing use of DevOps, and believe it can really help security when done right. Public cloud is a pillar of DevOps. With the right insight and seamless integration, security teams can enable DevSecOps to provide the necessary guardrails for any organization to use these new technologies safely and responsibly.

Resources: How to secure public cloud infrastructure

For more information:

• Read the Container Security Best Practices: A How-To Guide ebook
• Read the press release
• Visit: www.tenable.com/solutions/cloud-security