How do you ensure continuous security and compliance in your cloud and container environments?  Invest in cloud operations. This is the best way to ensure that your organization is consistently and continually mitigating this risk.  Cloud operations, or “CloudOps”, is the combination of people, processes, and tools that allow for organizations to consistently manage and govern cloud services at scale. Key to this is hiring and developing the right people, identifying processes that address the unique operational challenges of cloud services, and the automation of these processes with the right tools.  

One vital tool in your CloudOps toolkit should be software that provides centralized visibility of configuration choices, real-time evaluation of these choices against security policies, and automated remediation when a policy is violated.  DivvyCloud is exactly this kind of tool and our software is used by customers such as Discovery, Twilio, General Electric, Kroger, Fannie Mae, Turner, and Autodesk to achieve continuous security for their public cloud and container environments. We are natively multi-cloud, extensible, automate remediation to protect and mitigate real-time risks, and provide over 165 out-of-the-box policies for a quick start to fully secure your cloud.  

Below are 5 examples of these out-of-the-box policies, why they’re important, and which standards and directives they map to:

  • Storage Container Exposing Access To World
    Global API Accounting Config records API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the specific cloud service. Global API Accounting provides a history of API calls for each account, including API calls made via the management console, SDKs, command line tools, and other cloud services. Maps to Security Standards:
    • NIST Cyber Security Framework (CSF): ID.RA-1
    • NIST 800-53: SC-7
  • Instance With a Public IP Exposing SSH
    Security groups provide stateful filtering of ingress/egress network traffic to cloud resources. It is recommended that no security group allows unrestricted ingress access to port 22. Maps to Security Standards:
    • Center for Internet Security (CIS): Networking 4.1
    • NIST Cyber Security Framework (CSF): ID.RA-1
    • NIST 800-53: CM-7
  • Cloud Account Without Root Account MFA Protection
    The root account is the most privileged user in a cloud account. MFA adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to the cloud account, (s)he will be prompted for username and password as well as for an authentication code from an AWS MFA device. Note: When virtual MFA is used for root accounts, it is recommended that the device used is NOT a personal device, but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independently of any individual personal devices. (“non-personal virtual MFA”) This lessens the risks of losing access to the MFA due to device loss, device trade-in or if the individual owning the device is no longer employed at the company Maps to Security Standards:
    • Center for Internet Security (CIS): Identity & Access Management 1.13
    • NIST Cyber Security Framework (CSF): DE.CM-3
    • NIST 800-53: PM-11
  • Access List Exposes SSH to World (Security Group)
    Access Lists (Security Groups) provide stateful filtering of ingress/egress network traffic to cloud resources. It is recommended that no security group allows unrestricted ingress access to port 22. Maps to Security Standards:
    • Center for Internet Security (CIS): Networking 4.1
    • NIST Cyber Security Framework (CSF): ID.RA-1
    • NIST 800-53: AC-17
    • CSA Cloud Controls Matrix (CCM): GRM-01
  • Access List Exposes Windows RDP to World (Security Group)
    Access Lists (Security Groups) provide stateful filtering of ingress/egress network traffic to cloud resources. It is recommended that no security group allows unrestricted ingress access to port 3389. Maps to Security Standards:
    • Center for Internet Security (CIS): Networking 4.2
    • NIST Cyber Security Framework (CSF): ID.RA-1
    • NIST 800-53: AC-17
    • CSA Cloud Controls Matrix (CCM): GRM-01

These are just some of the many multi-cloud policies that we can help you monitor and remediate.  Click here, if you’re interested in learning about others, as well as the top security risks that DivvyCloud protects you from. Or if you’d like us to explain, contact us and let’s have a conversation.


DivvyCloud mitigates security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes).  First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.