We are excited to announce that VMware Aria Guardrails is now initially available as a SaaS solution. It was released in technical preview last summer at VMware Explore.
VMware Aria Guardrails is a multi-cloud governance service to automate and scale end-to-end policy enforcement across clouds and Kubernetes. The service enables organizations to consistently enforce standards that help regulate cost, reduce risk, and optimize performance across clouds, Kubernetes and hosts. Cloud Operations teams can avoid manual approaches to define landing zone policies, gain a consolidated view of policy violations and drifts in context to graph-based cloud inventory, and automate remediation.
An effective public cloud governance program needs to support application teams in the race to deliver new applications, and ensure that operations are secure, spend is regulated, and performance is optimized while navigating the complexity that stems from vast number of cloud services spread across multi-cloud environments. Cloud Operations teams need to fulfil high demand for compliant cloud accounts in a timely manner. But this is not enough to enforce corporate standards in a growing cloud environment. Post account provisioning, the onus falls on Cloud Operations teams to ensure that required policies continue to be enforced in a way that meets an organization’s governance objectives. Any dependency on manual and error-prone processes and disparate tools makes it a struggle to enforce compliance standards, leading to an increase in costs, security risks and performance issues.
VMware Aria Guardrails takes a cloud-smart approach to enforce best practices by providing consistent policy configuration at the time of provisioning and enabling continuous detection and mitigation of drift as resource configurations change, within a single service (Figure 1).
Capabilities to bolster your Cloud Governance Program:
Policy-as-Code Approach: One of the more difficult challenges Cloud Operations teams face is ensuring consistent application of policies for multiple accounts in a cloud environment. The service offers policy templates (Figure 2) making it easy to configure policies repeatedly for cloud accounts. You can also generate a template from the configurations set in an existing cloud account and use it as a benchmark to detect any future drift for that account. Building custom templates helps to address unique requirements for an organization.
This functionality speeds up creation of compliant accounts for multiple application teams across environments and reduces mistakes. Dozens of pre-built templates for Amazon Web Services and Microsoft Azure are available to easily start enforcing policies for cost, security, performance, and networks.
Event-based detection of configuration drift ensures that any policy violations are detected and investigated easily by making it possible to compare the violation with the state declared in the template.
Security Posture Management: VMware Aria Guardrails provides in-depth coverage for configuration security best practices and compliance frameworks. It provides access to over 1200 predefined policies which include monitoring for publicly accessible resources, secure configuration of data, and auditability of resources. 20 pre-built industry frameworks including SOC2, HIPPA, NIST 800-53, and MITRE ATT&CK make it easy to continuously improve compliance for cloud and Kubernetes resources. Additionally, custom policies can be built to detect specific configurations due to cloud-asset relationships, without requiring specific coding skills . By scanning the relationships between Kubernetes and cloud services, over 250 advanced detection rules can identify risks that might otherwise be overlooked.
Cloud Entitlement Management: Managing privileges at scale and implementing IAM best practices is not a simple task in an environment where access to cloud resources is granted easily and rapidly. With the rising number of humans and machines that have entitlements to cloud resources, organizations need a solution that helps to identify and audit risky access conditions which could lead to a breach. VMware Aria Guardrails helps to visualize and pinpoint the paths a user can take to access a cloud resource by mapping relationships between principals (a human user or workload), entitlements, and resources. It also enables categorization of permissions and helps to understand the resource blast radius for a principal, making investigation of cloud entitlements quick and simple.
For Example, In Figure 3, you can view the roles and policies that enable access to an AWS.EC2.KeyPair for the principal, understand the actions the principal can take as a result, and filter the view by actions to update the graph.
Host Configuration and Security Management: VMware Aria Guardrails delivers a built-in OS configuration and compliance management solution with a broad set of out-of-the-box application-aware content, event-driven detection of config changes, and automated remediation of drift as soon as it occurs. You can also scan the environment for OS-level system vulnerabilities, cross-check with the common vulnerabilities and exposures (CVEs) and mitigate any security risks for Hosts.
VMware Aria Hub Powered by VMware Aria Graph: By leveraging the graph data store delivered by VMware Aria Graph, for every alert on a policy violation, you can visualize the resource configuration and connected objects to understand the overall risk. VMware Aria Hub provides an easy way to manage cloud accounts, establish an overview of your entire cloud inventory, and gain insights into application topology. Read our latest blog about VMware Aria Hub powered by VMware Aria Graph to learn more about new features and get access to the free tier service offering.
The VMware Aria Guardrails Advantage
VMware Aria Guardrails enables organizations to scale best practices within growing cloud environments by:
- Automating policy application and continuous enforcement of industry standards at scale across Clouds, Kubernetes, and Hosts;
- Eliminating tool sprawl and consequent data silos by consolidating policy violation data from disparate tools and correlating violations with threats and vulnerabilities; and
- Extending policy enforcement in third-party policy engines by declaring desired state in templates.
With VMware Aria Guardrails you can exercise cloud cost, security, and performance controls without compromising agility, allowing you to take full advantage of the flexibility and velocity cloud infrastructure has to offer.
Sign-up for VMware Aria Hub Free Tier to test-drive VMware Aria Guardrails or talk to an expert to learn how VMware Aria Guardrails can help you automate and scale multi-cloud governance.