by: VMware Head of Security Engineering and Architecture Brad Doctor; VMware Staff II Engineer – Cloud Security Casey Lems; and VMware Senior Security Architect Craig Savage
In part one of our blog series, we discussed clarifying internal responsibility, effective communication, and creating a governance program
In part two of our blog series, our focus was on asset visibility. In the last blog of this series, we share the importance of detecting vulnerabilities quickly, implementing automated issue remediation, and being proactive in detection.
Transforming your security organization into a savvy cloud security shop takes time and effort. Here are the remaining steps to consider for maintaining security across a multi-cloud environment.
5. Detect Vulnerabilities – At Cloud Speed
We use a risk-focused approach to determine our prioritization for efficiently monitoring and detecting potential gaps in governance controls. Accounts storing sensitive and customer data and production services are the focus, whereas development and test accounts are secondary. Having a strategy to start somewhere and tackle it little by little is essential.
Ultimately the sooner an anomaly is identified in the deployment process and communicated to the developer, the lower the cost to fix it. If we wait for weeks to report a security problem, the developers will have already processed hundreds of other features and bugs and will need to research the request before they can determine a method to fix it. Finding ways to allow teams to query this information during the continuous integration and continuous delivery (CI/CD) build process provides the real-time feedback necessary for addressing the issue.
Alongside prioritization of issues and speed of detection, building a cloud security approach that inspects relationships across cloud assets and views security risks from a holistic condition perspective is extremely important. Getting the full context when performing both incident investigations and real-time detections across assets and resources is an absolute must for cloud security teams.
VMware IT relies on VMware Secure State™, a security and compliance platform that helps us define our security and compliance standards, and benchmark our deployments against these best practices. VMware Secure State uses an interconnected cloud security approach that models assets in our inventory by their relationship to each other, making it easier to run security investigations, understand the blast radius of violations, and prioritize these by risk.
6. Remediating Issues – Building Trust and Success
Once the IT team establishes overall asset visibility, specific controls, and detection methods, it’s time to start implementing automated remediation or guardrails.
Putting together a transition plan from detection to monitoring to reporting to enforcement helps stakeholders start trusting the system and processes. It’s critical to minimize the possibility of causing disruptions and derailing the productivity of your application teams.
The bulk of the work involved is retro-fitting automated controls against existing optimized workloads. Automating a bad process makes that process happen faster. Consider grandfathering old assets, and work towards compliance of the existing resources as part of your vulnerability management program. Taking this approach enables you to enforce the guardrail on new deployments without disrupting the business.
VMware Secure State offers a remediation framework that helps us build guardrails and reduce vulnerabilities across both existing and new assets holistically. A key aspect of this approach is its cloud permissions control policy, which enables the VMware IT team to detect and remediate vulnerabilities while maintaining read-only access (least privileges) to cloud accounts that our developer teams own.
7. Shift Left – Security as Code
The idea of “shifting left” is to be proactive in detection. Since we’ve taken a real-time, centralized approach for asset identification and collection, we can start publishing integrations into the CI/CD pipeline tools, which allows developers to stop the build if they discover an issue.
Creating a cloud version of a golden image enables us to determine what a secure cloud data lake bucket looks like when correctly configured. If represented as code, the developers will have a starting point to work from, rather than trying to tack security on to an existing resource. Some items to consider include:
- Creating and managing a catalog of hardened build artifacts, templates and configurations to construct things in the cloud in an ideal manner for your organization.
- Using the same source code management tool for the catalog as your developers already use.
- Socializing the idea of enabling these hardened templates through code by developers. Having security as code means it can be modified to flag an exception as necessary without forcing it into a specific construct to deploy or manage the resource.
Suggestions for Getting Started
Achieving successful governance in cloud environments requires a different approach than traditional security reporting and monitoring provides. Here are three ways that VMware started implementing steps five through seven:
- Built a smarter security approach that inspects assets in the context of their relationships and views risks holistically
- Automated cloud security and issue remediation to build trust
- Provided ways to deploy the necessary configurations with minimal effort
VMware on VMware blogs are written by IT subject matter experts sharing stories about our digital transformation using VMware products and services in a global production environment. Contact your sales rep or [email protected] to schedule a briefing on this topic. Visit the VMware on VMware microsite and follow us on Twitter.
