Infrastructure-as-a-Service (IaaS) is used by organizations of all sizes as the new default IT environment to build and host internal and customer-facing applications. To leverage numerous capabilities offered by IaaS providers for faster adoption, many organizations overlook the cloud shared-responsibility model and assume that security is taken care of completely by the cloud provider. At the end of the day, the security of what cloud customers put in the cloud, most importantly sensitive data, is their responsibility. According to leading analyst Gartner,“Through 2025, 99% of cloud security failures will be the customer’s fault”
Per McAfee CARR report, about 99% of misconfigurations go unnoticed by companies using IaaS. On an average, companies were aware of about 37 misconfiguration incidents per month, but real-world data shows that companies actually experience closer to 3,500 such incidents – about ~100 times more!
It is possible that the speed of IaaS adoption is putting a lot of security practitioners behind, and in the never ending catch-up game. And, as expected, the flexibility offered by IaaS providers helps to change the infrastructure rapidly based on ever-changing demands, leaving the door open through misconfigurations happens all the time. More so, as the changes are done through Infrastructure as Code (IaC) in Continuous Integration/ Continuous Delivery (CI/CD) fashion. While MVISION Cloud’s IaaS config audit reports and helps to ensure that deployed infrastructure is compliant and pristine, as new resources are deployed through DevOps templates, similar compliance issues keep getting reported over and over.
Integration with Atlassian Bitbucket pipes performs ‘inline’ evaluation of the DevOps templates such that any DevOps template push to the Bitbucket code repo which is configured to trigger a build, in turn automatically evaluates them to check for vulnerabilities present. And, any misconfiguration errors are reported right in the developer’s console highlighting all specific policies in question.
This helps the DevOps personnel analyze and remediate misconfiguration issues at source such that any further deployment using those templates don’t create further and similar issues in the IaaS environments. Hence, the Security team enforces the process and sets the guidelines avoiding the issue of dealing with an impossible task of keeping up with the ever growing non-compliant issues. The ability to enforce these checks earlier in the DevOps cycle immensely helps so that they can delegate enforcement for any new resources that are deployed, and stop the deployment of any non-complaint DevOps templates. By adding security earlier into the DevOps process, security professionals can catch risky configurations before they become a threat in production.
The integration setup is simple where the YAML file is configured to use the McAfee MVISION Cloud Docker image along with few environment variables. Setup completes once pipelines is enabled. The scans support AWS CloudFormation, Azure ARM and Terraform templates. All the issues are also reported as incidents in MVISION Cloud’s dashboard.
It is imperative for enterprises to better align developers and security. The end goal is a state where developers aren’t seeing security as just a check box or something to throw over the fence to the security team during production, but as an essential part of their daily development process. As a maker of tools for development teams, Atlassian wants to make it easier for developers to build and operate secure products, while responding to security incidents more quickly and effectively. The partnership between Atlassian and McAfee combines the joint strengths to deliver an optimized security solution for customers. Join us to learn more at the Atlassian 2020 Summit.
For more information please join us for a webinar on May 20th
1 Source is: “Smarter With Gartner” Blog, Is the Cloud Secure, October 10, 2019, Kasey Panetta
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose
About the Author
Categories: Cloud Security