Press Releases

Automating Your AWS Landing Zone

Automating Your AWS Landing Zone

Automating Your AWS Landing Zone:Enabling Large-Scale Migrations and Next-Gen Apps Before you migrate applications to, or build next-gen applications on, Amazon Web Services (AWS), you need to ensure that you have a landing zone in place. The landing zone concept is a...

IBMs Data Breach Study – Which Industries Have the Highest Cost?

IBMs Data Breach Study – Which Industries Have the Highest Cost?

In July, IBM and Ponemon Institute released the 2018 Cost of Data Breach Study: Global Overview in which they conducted interviews with more than 2,200 IT, data protection, and compliance professionals from almost 500 companies that have experienced a data...

Feature Release: 18.6 – Event Driven Harvesting, New Compliance Packs, & More

We are introducing some fantastic new capabilities in this release including event driven harvesting (“EBH”), three new compliance packs, and increased support for Amazon Web Services, Microsoft Azure, and Google Cloud Platform.  Our latest release also...

Ensuring Continuous Security and Compliance in Your Cloud Environments

How do you ensure continuous security and compliance in your cloud and container environments?  Invest in cloud operations. This is the best way to ensure that your organization is consistently and continually mitigating this risk.  Cloud operations, or...

The Headache of Managing Cloud Spend

Many companies are failing to manage their cloud environment effectively, and are dealing with the daily headaches that come as a result. It’s become much easier to purchase new software or services, which means it’s even easier for spending to increase....

Learn how Kroger went from 0-60 with GCP and containers to become a digital leader in retail at Google Cloud Next ’18 | Wednesday, July 25th, 2:00 – 2:20 PM in the South Hall

DivvyCloud is a sponsor of Google Cloud Next '18 and at the event we are hosting a Cloud Talk, featuring Kroger’s Chief Architect Bruce Maxfield.  The session is Wednesday, July 25th, 2:00 - 2:20 PM in the South Hall Cloud Talk space.   Bruce and DivvyCloud COO Peter...

ComputerWorldUK Honors DivvyCloud: One of the Best Cloud Management Tools of 2018!

We are delighted to announce that Computerworld UK has named DivvyCloud one of the “Best Cloud Management Tools” of 2018. ComputerWorld UK compiled a list of cloud computing management tools that aim to help manage costs, usage, and ultimately optimize the...

Choosing Between AWS, GCP, or Azure? How About All of Them? Increasingly Enterprises Choose Multi-Cloud Strategies

Once a company decides to embrace IaaS and PaaS public cloud computing they then face the challenge of deciding on a vendor, typically AWS, Azure or GCP.  Traditionally, companies would select a single public cloud vendor with whom to partner.  However, over the last...

Top 5 Tips for Attending re:Invent 2017

Re:invent is one of the cloud computing world’s biggest events, and it’s just around the corner! Whether this is your first time visiting attending or you’ve been before, with an expected 40,000 attendees, more than 400 exhibitors, more than 1,000 breakout sessions...

What’s New in DivvyCloud?

Simplify how to identify cloud infrastructure risks with “Insights” For organizations managing a public- or hybrid- cloud, visibility and automation are paramount to ensure a secure infrastructure. To be effective, visibility and automation must be easy to achieve,...

Events

Popular Job Site Exposed 13 Million User Records

Popular Job Site Exposed 13 Million User Records

This misconfiguration epidemic has seen the theft or loss of more than 14 billion data records in the last five years as reported by Breach Level Index.

Misconfiguring a cloud database, storage container, or search engine can have massive consequences, especially if they contain personal information. Just ask Facebook, when earlier this year, 540 million user records were exposed due to a misconfigured S3 bucket. A publicly accessible MongoDB database with misconfigured settings put Verification.io in the news when they exposed 150 gigabytes of customer data. Elasticsearch, a more recent culprit, left companies including Rubrik, Voipo, Meditab, and Dow Jones with exposed caches of customer information on publicly exposed servers without passwords, and now we can add one more to the list.

TechCrunch reported that another company has misconfigured an Elasticsearch server. Ladders, a popular U.S. based recruitment company exposed over 13 million user records when they left their Elasticsearch server publicly exposed without a password. Ladders joins the rapidly growing list of organizations who have fallen victim to the 2019 trend of misconfiguring Elasticsearch databases.

Here are eight other orgs this year that have misconfigured Elasticsearch servers:

What happened this time?
Ladders left an Elasticsearch server unprotected, without a password. Though we aren’t exactly sure how that happened, we can assume that a developer may have tweaked the configuration as a part of troubleshooting, and once the application began working again, they moved on to another project completely forgetting about the unprotected Elasticsearch server. There are dozens of situations that may result in changes to cloud asset configurations. Organizations are often made vulnerable because they don’t have processes in place to prevent or manage improperly secured software configurations and deployments.

“Sanyam Jain, a security researcher and a member of the GDI Foundation, a nonprofit aimed at securing exposed or leaking data, found the database and reported the findings to TechCrunch in an effort to secure the data.”

How can companies avoid exposing their data?
As a basic step to avoid data leaks, we recommend taking advantage of native cloud capabilities. Ensure that you prevent unauthorized access, and are always purposefully using the cloud provider’s storage access policies to define access to the objects stored within. Training is critical. Make sure your team knows not to open access to the public, unless absolutely necessary; and that they understand that incorrectly configured policies can result in the exposure of PII and other sensitive data.

The challenge is that many organizations struggle to adopt and enforce best practices consistently, and only 100% consistency protects against a breach. This is why an investment in a cloud management platform is a vital additional step.

Interested in learning more? Speak with a DivvyCloud expert today!


Watch DivvyCloud’s 60 second video to learn how we help customers like GE, 3M, Autodesk, Discovery, and Fannie Mae stay secure and compliant.

DivvyCloud minimizes security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes). First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

 

DivvyCloud Raises $19 Million to Automate Cloud Security and Compliance

In a quickly maturing market, DivvyCloud has demonstrated a unique value proposition for enterprises leveraging the public cloud.

John R. Marquis

Principal, Providence Strategic Growth

DivvyCloud Raises $19 Million to Automate Cloud Security and Compliance

Investment to Fuel Innovation in Cloud Security and Support Growing Customer Demand

Co-founders: DivvyCloud CTO Chris DeRamus (left) and CEO Brian Johnson (right)

DivvyCloud, a leading provider of security and compliance automation for public cloud and container infrastructure, today announced a $19 million growth round, bringing its total capital raised to date to $29 million. This round was led by Providence Strategic Growth with follow-on investments from existing investors MissionOG and RTP Ventures. The added investment allows DivvyCloud to make specific technological advancements to its cloud security and compliance solution, as well as expand sales and marketing efforts and customer success programs to meet rapidly increasing demand.

“In a quickly maturing market, DivvyCloud has demonstrated a unique value proposition for enterprises leveraging the public cloud,” said John R. Marquis, Principal, Providence Strategic Growth.

“Most enterprise companies are implementing a multi-cloud strategy and require a platform that allows them to fully embrace self-service access without losing control,” said Brian J. Shin, Managing Director, Providence Strategic Growth. “In the cloud era, security cannot be an impediment to innovation. Importantly, DivvyCloud delivers a strategy for companies to have their cake and eat it too – unrestricted access to cloud services for developers to drive innovation and a robust approach to improving security and compliance. The impact of DivvyCloud’s best-in-class software platform has been proven by impressive customer adoption and retention.”

DivvyCloud was founded in 2013 with a vision of empowering enterprises to give developers the freedom to innovate through self-service access to cloud services while at the same time enhance security and compliance. Building upon its industry-leading solution, DivvyCloud will leverage the infusion of capital to innovate its product offerings, including extending policy enforcement capabilities into the continuous integration/continuous delivery (CICD) pipeline and deepening integrations with key third-party solutions to enhance orchestration.

“Data breaches caused by misconfigurations of public cloud services have been dominating headlines in 2019 and are costing enterprises millions of dollars, needlessly,” said Brian Johnson, CEO and co-founder, DivvyCloud. “DivvyCloud is uniquely positioned, with our approach to automation that uses real-time remediation to allow enterprises to fully realize the benefits of public cloud and container adoption without the risk of misconfigurations and other common security and compliance issues. With this funding, we intend to deliver specific product advancements; strengthen support for containers, cloud identity, and serverless; and broaden our market penetration to benefit companies around the globe. Our goal is to enable every enterprise in the world to be able to confidently and securely embrace cloud services to drive rapid innovation.”

Headed by a strong leadership team, DivvyCloud has doubled its customer base in the last 12 months, including adding marquee customers Kroger, CoStar and Pizza Hut. The company has also doubled its staff in the past year, including adding key executive hires Scott Totman as head of engineering and product development, and Rick Juneja as head of customer success. Brian J. Shin, Managing Director of Providence Strategic Growth, has also joined DivvyCloud’s board of directors.

Further validating DivvyCloud’s market position, the company was named the Editor’s Choice Winner in Cloud Security by Cyber Defense Magazine in the 2019 Infosec Awards and was a winner in Cloud Security in the Cybersecurity Product category in the 2019 Cybersecurity Excellence Awards.

“The majority of our direct competitors have been acquired by large conglomerates, leaving DivvyCloud uniquely positioned as a well-funded company exclusively focused on driving innovation in the cloud security posture management category,” continued Johnson. “Enterprises continue to turn to our best-in-class software platform for a secure and compliant approach to operating cloud and container services.”

Most Cloud Breaches are Due to Misconfigurations

Most Cloud Breaches are Due to Misconfigurations

 

Breaches of data in the cloud are on the rise, not breaches of the underlying cloud provider’s infrastructure. This distinction between CSP and customer is vital since with cloud providers there is an explicit shared responsibility relationship. The cloud provider is responsible – and typically successful in – securing the underlying components of cloud services. The customer is responsible for securing how they use the cloud services, including properly configuring identity and access management (IAM), storage and compute settings, threat analysis and defense, and the security of the application and data processed and stored on the cloud.

If the underlying cloud infrastructure is secure, then responsibility for cloud breach must lie with the cloud customer. As Gartner states, “through 2022, at least 95 percent of cloud security failures will be the customer’s fault.”

If cloud breaches are typically due to misconfigurations, then organizations must implement controls that quickly – and automatically – prevent or detect and remediate these errors. To this end, CSPs offer a plethora of security controls. For example, Amazon AWS provides more than 30 different cloud-security related services (e.g., GuardDuty, CloudTrail, CloudHSM, CloudWatch, etc.), including the recent beta release of AWS Security Hub. These controls are essential, playing a primary role in secure cloud configurations, though just turning them on does not guarantee secure cloud configurations.

Secure cloud configuration must be a dynamic and continuous process. At a base level, there is the configuration of the cloud infrastructure (e.g., blocking SSH ports, and IAM). Next, there is the configuration of the CSP security controls (e.g., enabling log monitoring and encryption). And, finally, SecOps teams must address changes to settings (e.g., detecting and acting on a threat actor turning off logging to cover their tracks).

So, what controls detect and prevent misconfigurations? To answer this question, we align CSP controls against core aspects of cloud security: Audit, Visibility, Protection, and Detection. These core aspects build on the NIST Cybersecurity Framework (NIST CSF). To augment the NIST CSF and better align it to cloud security, we include automation as a core aspect. Automation is so central to cloud operations that there are a series of controls necessary to monitor, track, and enforce automation functions.

To learn more, read our white paper “Augmenting Native Cloud Service Provide Security” on determining when and how to augment CSP security controls.


DivvyCloud minimizes security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes). First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

Addiction Rehabilitation Centers Expose 150k Patient Records

Addiction Rehabilitation Centers Expose 150k Patient Records

Late last week, CNET reported the data from tens of thousands of patients at multiple addiction rehabilitation centers, were exposed due to an unsecured online database.  If you’re familiar with the current data breach trend this year, then you’ve probably already guessed what happened, another organization improperly secured their ElasticSearch Database.  

What happened? 
An independent researcher (the same one who discovered Mountberg Limited’s misconfigured database) discovered Steps to Recovery’s Elasticsearch database exposed to the internet without any form of authentication.  Unfortunately, this misconfiguration comes at the expense of almost 150k patients exposing their most sensitive medical information.

Given the stigma that surrounds addiction this is almost certainly not information the patients want easily accessible,” the researcher shared with CNET

These misconfigurations are often the result of a developer that was unaware of how to properly secure the storage asset, or a simple oversight. For example, a developer may have tweaked a storage container configuration as part of troubleshooting, leaving it open to the public. Once the application began working again, they moved on to another project completely forgetting about the exposed storage container. There are dozens of situations that may result in changes to a container’s configurations. Organizations are often made vulnerable because they don’t have processes in place to prevent or manage insecure software configurations and deployments.

Here are seven other orgs this year that have misconfigured Elasticsearch servers:

Organizations need continuous security and compliance in the cloud.  A “trust, but verify” approach meaning companies can trust that their developers and engineers are provisioning and configuring cloud and container services appropriately, but they need to verify this relative to security, compliance, and governance policies. Simple truth – rate of change and the dynamic nature of software defined infrastructure has outstripped human capacity and organizations need to automate the process of verification. Where there is a policy violation, make it easy to automatically remediate so that the environments are always secure and compliant

Interested in learning more? Speak with a DivvyCloud expert today!


Watch DivvyCloud’s 60 second video to learn how we help customers like GE, 3M, Autodesk, Discovery, and Fannie Mae stay secure and compliant.

DivvyCloud minimizes security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes). First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

Automating Your AWS Landing Zone

Automating Your AWS Landing Zone:
Enabling Large-Scale Migrations and Next-Gen Apps

Before you migrate applications to, or build next-gen applications on, Amazon Web Services (AWS), you need to ensure that you have a landing zone in place. The landing zone concept is a key component of cloud operational maturity as part of your enterprise multi-account environment strategy.  

A landing zone should enable self-service for developers and engineers through the use of policy guardrails. These policy guardrails should be in place before migration, during migration, and post migration. After all, security and compliance cannot be a one-time effort, they must be a continuous process in order to minimize the risk of misconfigurations or policy violations.

DivvyCloud delivers several key components to ensure policy guardrails are automated:

  • Unified security and compliance policies in multi-account environments mapped back to industry standards or your organization’s standards.  
  • Monitoring of policy violations across multiple-account environments.
  • Real-time, user-driven, automated remediation of policy violations to minimize and mitigate risk.
  • Reporting to verify security and compliance to peers, executives, and auditors and to build trust in CloudOps and CloudSecOps.

DivvyCloud recommends at a minimum using policies associated with the following standards pre-migration to build your landing zone:

  • CIS AWS Benchmark
  • CIS Kubernetes Benchmark (applies to AWS EKS)
  • NIST Cybersecurity Framework

DivvyCloud also offers policies mapped to the following additional standards for your deployment pre-migration:

  • NIST 800-53
  • PCI DSS
  • SOC 2
  • ISO 27001
  • GDPR
  • CSA CCM
  • FedRAMP CCM
  • HIPAA

You can create custom standards in DivvyCloud that include policies from one or more of the out-of-the-box standards and also build your own unique custom policies from scratch.  

By deploying DivvyCloud pre-migration you can test each application to be migrated against these policies and avoid situations in which the application is out-of-compliance from their inception in AWS. This avoids immediate security and compliance issues and solves for challenging rework after the application has been promoted to production.  

During migration DivvyCloud ensures that as developers and engineers leverage self-service capabilities to make changes these changes don’t violate security and compliance policies, and if they do they are immediately identified and corrected. This ensures that post-migration there are no surprises and again minimizes rework.

Post migration DivvyCloud plays an important role in ensuring that any drift that occurs from the initial configuration does not violate policy and delivers maturity to CloudOps and CloudSecOps teams. DivvyCloud’s ability to monitor, remediate, and report on security and compliance means that these teams can keep up with the incredible pace of cloud and rest easy.

Watch DivvyCloud’s 60 second video to learn how we help customers like GE, 3M, Autodesk, Discovery, and Fannie Mae stay secure and compliant.


DivvyCloud minimizes security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes). First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

Facebook Exposes 540 Million User Records

DivvyCloud is a way to deploy policy, minimize blast radius and give developers the freedom to operate within the guide rails of safety.

Thomas Martin

Head of Application Modernization, GE Digital

Facebook Exposes 540 Million User Records

Just when we thought that the incidents involving S3 bucket leaks were slowing down.The Washington Post reports that Facebook exposed the data from over 540 million users in publicly accessible AWS S3 buckets. We are about a year past the Cambridge Analytica debacle and with this latest security issue, the question is-can Facebook actually protect its user’s privacy?

What Happened?
According to The Washington Post, the security firm UpGuard discovered the trove of data exposed from not one, but two different Facebook apps. Cultura Colectiva, a media company based in Mexico City, was the first app discovered with an open AWS S3 bucket exposing 540 million records on Facebook users, totaling 146GB of data that included everything from comments and likes, to account names and Facebook IDs. The second misconfiguration comes from Facebook-integrated app At the Pool, which published plain text data on 22,000 Facebook users to a public Amazon S3 bucket.

Notable 2018 AWS S3 Bucket Leaks:.

 

How did these S3 Buckets get exposed?
Check out what we wrote last year, when PocketiNet misconfigured an S3 bucket exposing 73 gigabytes of operational data. It remains applicable today: “We don’t know for sure, but often times the S3 Bucket configuration is incorrect. The created container permissions may have been too broad which allows anyone to access the data (as may be the case with the Facebook apps). Again, Cultura Colectiva’s S3 Buckets may have been serviced by people who aren’t familiar with security, thus the developer who created the container was unaware of how to properly secure it, or it was something as simple as an oversight.  For example, in Cultura Colectiva’s case, they may have had a developer who was troubleshooting an issue that was causing an application to fail and suspected the S3 Bucket access was to blame. The developer may have tweaked the S3 configuration leaving it open to the public, and as the application began working again, moved on to another project. Now they have an exposed S3 Bucket. It may not have even been the developer’s fault as someone else may have altered the bucket’s configurations at a later date for any number of reasons. The point is, so many organizations are made vulnerable because a lot of them don’t have processes that prevent insecure software deployments.

How do organizations avoid S3 bucket leaks?
For starters, the Facebook app makers could have done nothing. Amazon S3 buckets are private by default and can only be accessed by users that have been explicitly given access. Again, by default, the account owner and the resource creator are the only ones who have access to an S3 bucket and key, so someone has to deliberately misconfigure an S3 to expose the data.  

Amazon has been actively working to help companies avoid breaches caused by misconfiguration. In November 2017 AWS added number of new Amazon S3 features to augment data protection and simplify compliance. For example, they made it easier to ensure encryption of all new objects and to monitor and report on their encryption status. They have also provided guidance on approaches to combat this issue, like the use of AWS Config to monitor for and respond to S3 buckets allowing public access.

As a most basic first step to avoiding S3 bucket leaks, take advantage of the native AWS capabilities. Ensure that you are always purposefully using AWS S3 access policies to define who can access the objects stored within. Ensure your team is well trained to never open access to the public, unless absolutely necessary, as doing so can result in the exposure of PII and other sensitive data. And help prevent unauthorized access to your data by taking advantage of capabilities like AWS Config.  

The challenge is that many organizations struggle to adopt and enforce best practices consistently, and only 100% consistency can ensure protection against a breach. This is why an investment in cloud operations is a vital additional step.

Invest in Cloud Operations:
Cloud operations, or CloudOps, is the combination of people, processes, and tools that allow for organizations to consistently manage and govern cloud services at scale. Key to this is hiring and developing the right people, identifying processes that address the unique operational challenges of cloud services, and the automation of these processes with the right tools.  One vital tool in your CloudOps toolkit should be software like DivvyCloud, that monitors and remediates cloud misconfigurations, allowing you to achieve continuous security and compliance at scale.

Make S3 bucket leaks a thing of the past (now and forever). Install DivvyCloud with a  free 30-day trial or speak with a DivvyCloud expert today!


DivvyCloud minimizes security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes). First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

Feature Release 19.1 Enhanced Visibility & Monitoring

DivvyCloud is a way to deploy policy, minimize blast radius and give developers the freedom to operate within the guide rails of safety.

Thomas Martin

Head of Application Modernization, GE Digital

Feature Release 19.1: Enhanced Data Visibility & Monitoring, Improved Remediation, & More

 

We are excited to announce our first release of 2019! Collaboration with our customers and the broader community help shape our releases with improvements to core capabilities around discovery, analysis, and automated remediation of cloud and container infrastructure. Each release also includes several new features and support for the ever-expanding portfolio of services from the major cloud providers.

This release focuses on data and visibility, and we’ve introduced some fantastic capabilities including event-driven harvesting for Google Cloud, to deliver an additional layer of monitoring and improve our real-time automated remediation capabilities. Also in GCP, customers can retrieve the billing information for their Google Cloud footprint by interconnecting DivvyCloud with their billing bucket where that monthly data is stored. Our support for Amazon Web Services, Microsoft Azure, and Google Cloud Platform has increased with more than 100 new filters, actions, and general enhancements, and finally, customers now can export compliance information from insight packs.

Highlights:


 

1. GCP Billing Visibility
DivvyCloud has added the ability to ingest billing information from Google Cloud. This makes it easy to analyze historical spend, but more importantly you can use this data to drive action inside the DivvyCloud platform. Each of the line items in your bill is a resource, which means you can use any line item to build an insight. For example, you might configure an alert if any member of your developer account(s) spends more than $500 in a given period, enabling proactive visibility when developers start experimenting with new and novel cloud services that might unintentionally run up your bill.

DivvyCloud GCP Billing Visibility

Cloud costs are operational expenditures as opposed to capital expenditures, so they should be treated like a utility bill. If you went on vacation for two weeks, you wouldn’t leave your lights or your television on the whole time because there would be huge, unwanted costs at the end of the month. The problem with cloud expenditure is, without visibility into your total cost you’re going to receive a bill at the end of the month without any sense of whether the expenditure is better or worse. More often than not, your bill is going to get worse.

Resource Filters: Cloud Service Cost

Many customers are concerned about developers experimenting with a new Google Cloud service that may be extremely expensive. All too often, a well-intentioned person starts up a service to experiment, gets distracted, forgets about the service, and a month later a massive bill comes due. These types of cost overruns are a nightmare scenario that we can now prevent in Google Cloud.

 

2. Data Exporter – Compliance Exporting
Our product effectively works with a lot of scanning of resources in the cloud, pervasively harvesting them down. We have a collection of approximately 250 native checks/policies and users are free to add their own. While the native checks refresh every hour to provide a snapshot of potential problems, several of our customers requested the ability to consume the data outside of the platform. For example, an organization may have a group of data scientists who want to digest the data, apply heuristics to it, and generate a specific type of report. DivvyCloud provides a big piece of that puzzle.

Insights Library

Customers can configure any of DivvyCloud’s compliance packs which focus on specific insights, instead of dealing with all 250. For example, by selecting the “(CIS) – Microsoft Azure” pack you can narrow the focus to 51 specific insights.

Customers can then export that to a designated AWS or GCP storage bucket using the credentials of an organization service account. The contents of the report provide low-level data mapping of resources to compliance issues. The content is intended for teams wanting to use the data for custom reports and integrations with external business intelligence and analytics tools. For more information, see Compliance Exporting.

 

3. Event-Driven Harvesting for GCP 
In this release, we introduce event driven harvesting for GCP resources. Before this release we exclusively used an API-driven polling based approach to discover resources and monitor their configuration relative to policies. With the addition of event driven harvesting, we now offer a best in class dual layer approach for discovering and monitoring resources. Harvesting can now be triggered based upon events in your cloud, as opposed to solely relying on a polling based approach. This dual layer approach provides the best of both worlds – the full immutable discoverability of API harvesting with the speed and richness of event driven harvesting.

Imagine in every account you have, you have to make 30,000 API calls and even if an API call is less than a second (which it’s not), it would take about half a day to scan the data. That’s a daunting task. Most of our customers have 500+ clouds. Event-driven harvesting allows us to get the data much more intelligently in real-time.

Three Main Benefits of Event Driven Harvesting:

  • Fast Identification & Remediation of Issues with Key Resources – Faster identification, and reaction/remediation to change. In GCP you can identify changes within 2 seconds for key resources, allowing DivvyCloud to collect the information from this event stream. This approach speeds up our ability to identify a change, evaluate it against policy, and then take action to remediate policy violations.
  • Specific Data About Any Changes – Event driven harvesting provides rich contextual information and full visibility into who did what, where, and when. DivvyCloud can take the user name and make it a property in the system, which results in a fix in that system in perpetuity. Customers can now auto-tag resources, and if anything is wrong, the data will point to a specific, impacted individual. This helps enrich the data we have with the user.
  • Audit Global Changes Via Event Stream – Imagine you have 300+ projects. Using DivvyCloud badges you could ask the system to: “show me all production changes,” and then across all of your projects that are badge production, get a full, uniform feed of all production changes.

 

4. Additional Cloud Support/Enhancements

  • Amazon Web Services
    • Support for DocumentDB
    • Support for Neptune
    • Support for Secrets Manager
    • Support for FSx
  • Google Cloud Platform
    • Support for BigQuery
    • Support for Billing
    • Support for Load Balancing
  • Microsoft Azure
    • Capture Azure Key Vault information for Storage Accounts
    • Add visibility to the encryption configuration for Blob Storage

Interested in learning more? View the full release notes associated with our 19.1 release, or get your free trial and see our features in action.


DivvyCloud mitigates security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes). First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

Health Tech Company Leaks Thousands of Medical Records

Join Our Newsletter

Health Tech Company Leaks Thousands of Medical Records

Earlier this week, TechCrunch reported that Meditab, a California-based software company, leaked thousands of doctor’s notes, medical records, and prescriptions daily after a security lapse left an Elasticsearch server without a password.  This is the 7th time in 2019, we have written about a company exposing data via a misconfigured Elasticsearch server.

Here are the six other orgs this year that have misconfigured Elasticsearch servers:

What happened this time?
Meditab, who describes themselves as a secure online electronic medical records & practice management software, processes electronic faxes for healthcare providers.  However, according to TechCrunch, their fax server, which was running an Elasticsearch database with over six million records, wasn’t properly secured, and lacking password protection, anyone could read the transmitted faxes in real-time.

What information was exposed?
A trove of unencrypted personal information, including medical records, doctor’s notes, prescription amounts and quantities, as well as illness information, such as blood test results.  The faxes also included names, addresses, Social Security numbers and most troubling, personal data and health information on children.

SpiderSilk, a Dubai-based cybersecurity firm, found and reported the exposed Elasticsearch Server and it remains unknown if anyone else discovered it, or how long the data was exposed.

How do you ensure continuous security in your cloud and container environments?
 Invest in cloud operations. This is the best way to ensure that your organization is consistently and continually mitigating this risk.  Cloud operations, or “CloudOps”, is the combination of people, processes, and tools that allow for organizations to consistently manage and govern cloud services at scale. Key to this is hiring and developing the right people, identifying processes that address the unique operational challenges of cloud services, and the automation of these processes with the right tools.  

One vital tool in your CloudOps toolkit should be software that provides centralized visibility of configuration choices, real-time evaluation of these choices against security policies, and automated remediation when a policy is violated.

Interested in learning more? Speak with a DivvyCloud expert today!

Giant Ecommerce Company Exposes 1.5 Million Records

Join Our Newsletter

Giant Ecommerce Company Exposes 1.5 Million Records

For the sixth time this year, we are writing about another major Elasticsearch misconfiguration.  Late last week, VPNMentor discovered Gearbest, a massively successful Chinese ecommerce company, had a major security breach.  

The issue?  
An Elasticsearch server was once again (see below) not protected with a password, allowing anyone to search the database and exposing 1.5 million customer records.  Gearbest is ranked as one of the top 250 global websites, with hundreds of thousands of sales every day. Their exposed information included names, addresses, phone numbers, email addresses, customer orders, products purchased, and in some cases, passport numbers and other national ID data.

This security lapse adds to a growing list of organizations in 2019 that have left Elasticsearch servers unprotected, exposing a lot of proprietary data:

      • Voipo: Telecoms company that provides VoIP services
      • Mountberg Limited: Online casino group
      • Ascension: Data and analytics company for the financial industry
      • Rubrik: IT security and cloud data management
      • Dow Jones: Stock market index

DivvyCloud CEO and Co-Founder, Brian Johnson, commented on Gearbest’s misconfiguration:

“Gearbest’s data leak of over 1.5 million customer records adds to a growing list of organizations that have suffered security lapses in 2019 due to misconfigured Elasticsearch servers. However, Gearbest’s incident stands out since passport numbers, national ID numbers and full sets of unencrypted data, including email addresses and passwords were among the exposed information. This data could allow hackers to easily steal Gearbest’s customers’ identities by cross-referencing with other databases, and allow malicious actors access to online government portals, banking apps, health insurance records, and more.

Organizations like Gearbest must learn to be diligent in ensuring data is protected with proper security controls. Automated cloud security solutions would have been able to detect the misconfiguration in the Elasticsearch database and could either alert the appropriate personnel to correct the issue, or trigger an automated remediation in real-time. These solutions are essential to enforcing security policies and maintaining compliance across large-scale hybrid cloud infrastructure.”

Interested in learning more? Speak with a DivvyCloud expert today!

An Unprotected MongoDB Database Exposed 809 Million Records

Join Our Newsletter

An Unprotected MongoDB Database Exposed 809 Million Records

Wired broke the story last week that security researchers discovered Verifications.io’s (an email validation firm) unprotected, publicly accessible MongoDB database containing 150 gigabytes-worth of detailed, plaintext marketing data—including 763 million unique email addresses. The trove, as Wired reported, is not only massive but also unusual; it contained data about individual consumers as well as suspected “business intelligence data,” like employee and revenue figures from various organizations.

DivvyCloud’s Chris DeRamus (CTO) explains this recent leak in more depth
“The data exposed in this leak of nearly 809 million records is unique, and highly exploitable since it includes business intelligence data such as employee and revenue figures from various companies, as well as genders, user IP addresses, email addresses, dates of birth and more. If a bad actor were to discover this massive trove of data, they could easily validate the contact information for the users included launching a more focused phishing or brute force campaign.

We live in a world where data is king—collecting, storing and leveraging data is essential to running just about any business. All the more reason organizations must be diligent in protecting data with proper security controls. Automated cloud security solutions would have been able to detect the misconfiguration in the MongoDB database containing this information and could either alert the appropriate personnel to correct the issue or trigger automated remediation in real-time. These solutions are essential to enforce policy, reduce risk, provide governance, impose compliance and increase security across large-scale hybrid cloud infrastructure.”

What prevents companies from solving these cloud security problems?
Security and lack of visibility in governance and compliance are just symptoms of the problems organizations are facing. It’s a signal and noise problem. Over the last couple of years, the number of resources that enterprises are dealing with has grown exponentially. That’s relatively obvious regarding the new technologies, but what is often not realized is that two other things that have changed — the amount and types of people who are touching the infrastructure. Now you have a large number of resources and every engineer touching infrastructure to apply  real-time changes. Admins can’t see all of the problems, and they are losing control. Even if they CAN see all of the issues, they will suffer from alert fatigue as there is no way to keep up. Just knowing where your problem areas are doesn’t help. Simple truth – the rate of change and the dynamic nature of software-defined infrastructure has outstripped human capacity. We need to move towards a trust but verify approach.

Interested in learning more? Speak with a DivvyCloud expert today!

Dow Jones Exposes Data: Joins the List of 2019 Elasticsearch Leaks

A little more than two months into 2019 and for the fifth time we are writing about another massive company data leak and another misconfigured Elasticsearch server. Reminiscent of the AWS S3 bucket leaks in 2018, Elasticsearch servers are proving a problem for companies to configure correctly.

What happened this time?
According to an article on Yahoo Finance, an exclusive Dow Jones & Co. watchlist of more than 2.4 million high-risk clients was unintentionally exposed due to a misconfigured and unsecured Elasticsearch database hosted on AWS. “Used by eight of the world’s ten largest, global, financial institutions Dow Jones Watchlist is statistically proven to be the most accurate, complete, and up-to-date list of senior PEPs (politically exposed persons), their relatives and close associates,” Diachenko wrote.  The watchlist contained the identities of government officials, politicians, and people of political influence in every country of the world.

Security researcher Bob Diachenko, found the exposed watchlist in late February after a third-party company left it open without a password. This security lapse adds to a growing list of organizations in 2019 that have left Elasticsearch servers unprotected, exposing a lot of proprietary data:

    • Voipo: Telecoms company that provides VoIP services
    • Mountberg Limited: Online casino group
    • Ascension: Data and analytics company for the financial industry
    • Rubrik: IT security and cloud data management

DivvyCloud’s CTO, Chris DeRamus, told SiliconAngle “Dow Jones suffered a similar cloud storage misconfiguration two years ago that exposed the information of 2.2 million customers. It’s concerning that with this new exposure, Dow Jones did not take proper steps to strengthen its security posture. Organizations must realize the importance of balancing their use of the public cloud, containers, hybrid infrastructure and more with proper security controls.”

Why are so many companies suffering misconfigurations?
Overnight, we have gone from people who spent their entire lives in IT and security who understood the security process, to people who had never thought about security deploying applications in their infrastructure. The issues that are happening in today’s security realm, the headlines we are all seeing, are not complex, these are standard misconfiguration issues.  Even still, this is not new. We went through this 15 years ago when we got used to building out data centers and server farms. This is just a new set of lessons, you just have to learn a new approach to it. Problem is, none of that information transferred because the shift to the cloud wasn’t driven by IT; it was driven by engineering teams.

The amount of people touching cloud infrastructure has dramatically changed.  In the past, you had 40 people touching the infrastructure at any moment. Today it’s moved to 3,000 people deploying applications and making engineering changes to infrastructure. Enterprises have also moved from once a week production deployment to production deployments that are happening on an hourly basis. These continuous integrations and continuous deployment approaches leads to massive infrastructure, mixed with a large number users and changes happening at once. This, in turn, leads to loss of control and a self-service bypass that avoids the lessons learned from IT.  Even if IT leverages a tool that provides alerts, they will still fall victim to alert fatigue. This is not a sustainable approach.

How to avoid these misconfigurations?
The DivvyCloud approach enables organizations to change how they deploy and build applications entirely. This is not necessarily just a technology shift, but more of a cultural change. Everything an IT department does will need to change: how they deploy applications, what applications they build, how they learn from their customers, etc. All of that has to change because engineering teams have direct access to infrastructure and old processes aren’t going to work. Simple truth: the rate of change and the dynamic nature of software-defined infrastructure has outstripped human capacity. If companies get a list of a thousand problems, even with 100 people tasked with resolving them, problems either disappear, move, or are replaced with even more significant issues. Enterprises need to be able to deal with faults in real-time.  

Organizations need a security solution that provides the automation essential to enforce policy, to reduce risk, provide governance, impose compliance, and increase security across large-scale hybrid cloud infrastructure. Automation should take the pain out of making cloud infrastructure secure in a shared responsibility world by providing a framework for what organizations should be doing via a continuous, real-time process. By utilizing security automation, companies can stay agile and innovate, while maintaining the integrity of their technology stack and applying the policy they deem necessary to operate their business.

Core to a company’s solution should be an easy-to-use interface from which clients can manage their existing cloud infrastructure. At scale, policy enforcement cannot and should not be performed manually. Security automation can discover and automatically take action to address policy infringements or security issues (like an exposed ElasticSearch Database). It also allows for simultaneous offense and defense, resulting in increased innovation and a reduction of risk.

Interested in learning more? Speak with a DivvyCloud expert today!

DivvyCloud’s 2019 State of Enterprise Cloud Adoption and Security Report

DivvyCloud’s 2019 State of Enterprise Cloud Adoption and Security Report

DivvyCloud released its 2019 State of Enterprise Cloud and Container Adoption and Security report. Findings include analysis of responses from nearly 2,000 enterprise IT professionals regarding their organizations’ adoption of cloud and container services, as well as their perceptions of the security risks associated with these services.

The major finding of the report was that most respondents could not accurately identify the higher risk of misconfigurations in public cloud compared to traditional IT environments, indicating a lack of understanding of the security challenges associated with protecting data in the public cloud. Additionally, more than one-third of respondents were unsure which standards were relevant to the governance of their organization’s cloud and container environments. The data also shows organizations are rapidly embracing self-service cloud access for developers and engineers, which fuels innovation, but also compounds potential security and compliance complications.

Modern services including public cloud, containers, serverless and microservices are helping enterprises innovate quickly and maintain a competitive position in the market,” said Brian Johnson, CEO and co-founder of DivvyCloud. “Companies should feel empowered to embrace these tools, but it is essential that they have a true understanding of the compliance and security implications, and employ the people, processes and systems needed to maintain a strong security posture.

Key findings from the report include:

  • Of the organizations leveraging AWS, 73 percent provide self-service access to developers or engineers for provisioning and configuring AWS instances. Similarly, 61 percent of organizations using Microsoft Azure provide self-service access, and 58 percent of Google Cloud Platform users provide self-service access
  • 77 percent of respondents reported having two or more clouds, adding to the complexity of maintaining security and compliance
  • 74 percent of respondents said they are moderately or highly concerned about the security of the public cloud
  • Less than half of respondents were able to accurately identify the risk of misconfiguration in public cloud as higher than the risk in traditional IT environments
  • 78 percent of respondents said their organizations are either already using containers or plan to implement containers in 2019. For those that already employ containers, 47 percent said Kubernetes was their organization’s primary service, and 14 percent cited it as a secondary container solution
  • AWS and Microsoft Azure are the clear leaders in terms of adoption rate as organizations’ primary cloud solution, at 60 percent and 44 percent, respectively

Click here to read the full report and analysis of findings. 



About DivvyCloud
DivvyCloud helps enterprise customers improve security, take control, and minimize risk as they embrace the dynamic, self-service, nature of public cloud and container infrastructure. With DivvyCloud, security, GRC and operations professionals can identify risks in real-time and take automatic, user-defined action to fix problems before they’re exploited. Customers run DivvyCloud’s software to achieve continuous security governance in cloud and container environments. To learn more: https://divvycloud.com

DivvyCloud Named Editor’s Choice Award Winner by Cyber Defense Magazine

DivvyCloud Named Editor’s Choice Award Winner by Cyber Defense Magazine

Cyber Defense Magazine named DivvyCloud its Editor’s Choice Winner of the 2019 InfoSec Awards in the Cloud Security category!

While exploits of public cloud and container environments are on the rise, DivvyCloud has won the Editor’s Choice Cloud Security InfoSec Award for 2019 from our magazine. They won after we reviewed nearly 3,000 InfoSec companies, globally, because they are an innovator on a mission to help stop breaches and get one step ahead of these threats, proactively,” said Gary S. Miliefsky, publisher, Cyber Defense Magazine.

Award recipients were selected by a panel of security professionals, with the goal of recognizing innovative products that can actually help organizations stop breaches and get one step ahead of the next threat.

Modern services including public cloud, containers, serverless and microservices are helping enterprises innovate quickly and maintain a competitive position in the market,” said Brian Johnson, CEO and co-founder of DivvyCloud. “Companies should feel empowered to embrace these tools, but it is essential that they have a true understanding of the compliance and security implications, and employ the people, processes and systems needed to maintain a strong security posture. We are honored to have our unique approach to solving this critical pain point recognized by Cyber Defense Magazine.

Winners were announced at the RSA Conference 2019, where DivvyCloud is showcasing how organizations can gain the freedom to innovate by providing developers self-service access to cloud and container environments while adhering to security best practices and maintaining compliance.

If you are attending RSA, come by booth 4207 – Moscone North Expo – for a demo of our innovative security platform and chat with us about your security and compliance strategy for AWS, Azure, GCP, and Kubernetes.



About CDM InfoSec Awards
This is Cyber Defense Magazine’s seventh year of honoring InfoSec innovators. Our submission requirements are for any startup, early stage, later stage, or public companies in the INFORMATION SECURITY (INFOSEC) space who believe they have a unique and compelling value proposition for their product or service. Learn more at www.cyberdefenseawards.com

About the Judging
The judges are CISSP, FMDHS, CEH, certified security professionals who voted based on their independent review of the company submitted materials on the website of each submission including but not limited to data sheets, white papers, product literature, and other market variables. CDM has a flexible philosophy to find more innovative players with new and unique technologies, than the one with the most customers or money in the bank. CDM is always asking “What’s Next?” so we are looking for Next Generation InfoSec Solutions.

About Cyber Defense Magazine
With over 1.4 million annual readers and growing, and over 7,000 pages of searchable online infosec content, Cyber Defense Magazine is the premier source of IT Security information. We are managed and published by and for ethical, honest, passionate information security professionals. Our mission is to share cutting-edge knowledge, real-world stories and awards on the best ideas, products and services in the information technology industry. We deliver electronic magazines every month online for free, and limited print editions exclusively for the RSA conferences and our paid subscribers. CDM is a proud member of the Cyber Defense Media Group. Learn more about us at http://www.cyberdefensemagazine.com and visit http://www.cyberdefensetv.com and http://www.cyberdefenseradio.com to see and hear some of the most informative interviews of many of these winning company executives.

About DivvyCloud
DivvyCloud helps enterprise customers improve security, take control, and minimize risk as they embrace the dynamic, self-service, nature of public cloud and container infrastructure. With DivvyCloud, security, GRC and operations professionals can identify risks in real-time and take automatic, user-defined action to fix problems before they’re exploited. Customers run DivvyCloud’s software to achieve continuous security governance in cloud and container environments. To learn more: https://divvycloud.com

Automation You Can Trust: Remediating Cloud Misconfigurations and Policy Violations in Real-time

Automation You Can Trust: Remediating Cloud Misconfigurations and Policy Violations in Real-time

Automated remediation can be an effective tool for ensuring system security–provided remediation policies are configured in a way that is appropriate to a company’s software release process. There are few things more distressing than having a remediation tool that’s intended to avoid disaster inadvertently create one.

For example, imagine adding a new security policy to an automated remediation system that’s intended to restrict a container from having root access to its host. At first glance, this policy is a reasonable addition but, after deploying the policy into a production environment, the result is that a number of preexisting containers that require root access are made inoperative. Thus, system failure occurs. What started as a good idea turned into an IT disaster.

Clearly, the scenario described above this is one that needs to be avoided. The question is how? After all, the scenario’s policy rule is sound. The problem is that the rule was introduced too late in the development cycle. The rule should have been introduced earlier in the software development lifecycle for example in the testing or staging phases of the release process. Of course, introducing the remediation rule early on will still wreak havoc, but the failure will occur in a “safe” environment in which the problem will be exposed and fixes can be put into place. Then, once the troublesome behavior in the software was corrected, both the new policy and the new code can be moved in tandem into production.

While the scenario illustrated above is a bit dramatic, it does provide a good example of the importance of establishing appropriate remediation policies throughout the entire software development process. A good set of remediation policies will react to security and best practices violations according to both the degree of severity and the release phase in which the violation occurs. Draconian severity responses might be appropriate to execute in testing and staging phases, yet completely unwarranted in production environments, and vice versa.

Getting Started with Automated Remediation
One of the benefits of DivvyCloud is that a response to a given violation is configurable according to the needs and maturity of the given IT organization. Companies that are just starting out with automated remediation might do well to respond to problems by sending out emails or notifications in a Slack channel and leaving physical remediation actions in the hands of a developer or system administrator.

Other companies that are further along with automated remediation and are more trusting of the technology will impose more stringent remediation behavior is response to a policy violation for example, gracefully stopping a build or safely removing a container from a cluster. Adopting automated remediation is not an all-or-nothing undertaking. It can be done in an incremental manner by introducing more powerful remediation automation over time as companies become more skillful using the technology.

Few companies get remediation automation right at the beginning. It takes time to establish a set of remediation policies that work. The important first step to using remediation automation effectively is make sure that all members of a company’s IT staff are committed to using remediation automation. Once the commitment is made, a company then develops appropriate remediations policies in an iterative fashion that fit the needs of the enterprise’s day to day operations.

The world of ephemeral computing using the cloud, containers, and Kubernetes continues to evolve in ways that are both innovative and challenging. Change happens so fast it’s hard for Security and GRC professionals to keep up. But there is help available. DivvyCloud automation allows developers to engage in more experimentation and innovation while also providing the trust and verification that system administrators need to ensure that work is being done according to industry standard security guidelines and well-established best practices.

Interested in learning more? Speak with a DivvyCloud expert today!


DivvyCloud minimizes security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes). First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

Creating a Cloud Security Strategy with Culture and Technology

Creating a Cloud Security Strategy with Culture and Technology

Companies like Discovery Communications, Twilio, 3M, General Electric, Fannie Mae that use DivvyCloud successfully not only embrace technology, but also make the cultural and organizational changes necessary to realize the full benefit of securing their enterprise using an automated monitoring, analysis, and remediation tool.

In order to take full advantage of the cloud and containerized computing paradigm, companies need to have the right people, processes, and tools in place in order to execute against the vision. Yet many companies will incur a great deal of expense hoping to achieve the goal only to come up short. These companies spend money on all kinds of software and training, yet they overlook the cultural and personnel changes necessary to fully adopt computing on the cloud.

Companies that have experienced success moving to the cloud have come to understand that you can’t simply buy your way into a digital transformation. A successful digital transformation requires an investment of time and effort from a people perspective. It must have buy in from the top in order to have a sustainable effect as it’s about moving from a command and control management style to one based on an operational theme of trust but verify.

Moving from Command and Control to Trust But Verify
The introduction of cloud computing and containers has brought about a significant change in the way large enterprise customers approach information technology. They’ve gone from having a centralized IT department that’s focused on controlling everything from user access to server, storage and network provisioning to a self-service model in which developers create the computing infrastructure as they need it.

This transformation has forced system administrators to move away from being the sole protectors of the IT infrastructure into a role more akin to that of Systems Management Consultant who is concerned with ensuring that the business is getting maximum value from its investment. Thus, while the operational sensibility in the past has been about Command and Control, today the watch words are Trust But Verify. However, for many companies, making this transformation has not been easy.

The notion of letting developers provision environments independently is a hard pill for many system administrators to swallow. Some never make the transformation. But those who have see the value of making automated monitoring and remediation technology part of the IT infrastructure. Allowing developers to have more independence promotes the agility, speed, innovation and sense of experimentation required for modern businesses to maintain a competitive advantage.

Providing a robust set of automated monitoring and remediation tools gives businesses the ability to ensure that developers are acting wisely and not creating risks that are preventable. Supporting a theme of “Trust But Verify” means having a culture that allows developers the freedom to experiment and innovate while also giving systems personnel the tools they need to make sure that developers are working safely. As such, automated monitoring and remediation tools are indispensable. But, as with any tool, they must be used wisely otherwise the anticipated benefits of the technology can become unforeseen roadblocks. This is particularly true when it comes to configuring a remediations tool’s severity policies.

Want to read more about real-time remediation? Read Automation You Can Trust: Remediating Cloud Misconfigurations and Policy Violations in Real-time.


DivvyCloud minimizes security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes). First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

Another Data Breach – Rubrik Joins “Massive Data Breach” List

Another Data Breach – Rubrik Joins “Massive Data Breach” List

Rubrik, an IT security and cloud data management giant, exposed a whole cache of customer information, improperly stored in an Amazon ElasticSearch database. A little over a month into 2019 and Rubrik has become the fourth company we’ve featured in 2019 that has left a ElasticSearch Server unprotected and exposed.

The First Three Offenders:

  • Voipo: Telecoms company the provides VoIP services
  • Mountberg Limited: Online casino group
  • Acension: Data and analytics company for the financial industry

According to TechCrunch, (exactly like the three companies listed above) Rubrik’s ElasticSearch server wasn’t protected with a password exposing tens of gigabytes of data including customer names, contact information, contents of customer service emails, customer IT/cloud set-up and configuration information, and email signatures with names, job titles and phone numbers.

“It’s somewhat ironic, given that the IT unicorn, valued at $3.3 billion, recently announced that it’s expanding into security and compliance services.”

Even for a massive IT security and data management company like Rubrik, learning about how to configure ever-evolving cloud services correctly is a daunting task.  It is even more daunting to know how to do this relative to the security standards (e.g., CIS Benchmark or NIST CSF) and regulatory frameworks (e.g., PCI DSS or HIPAA) that a company chooses to or must comply with. And lastly, it is difficult for any one person or group of people to achieve 100% consistency in applying these standards at the speed and throughput that we ask our tech teams to operate.

What’s the solution?
Organizations need an automated cloud security solution that provides the automation essential to enforce policy, thus reducing risk, provide governance, impose compliance, and increase security across large-scale hybrid cloud infrastructure. Security automation should take the pain out of making cloud infrastructures secure in a shared responsibility world by providing a framework for what organizations should be doing via a continuous, real-time process.  By utilizing security automation, companies can stay agile and innovate, while maintaining the integrity of their technology stack and apply the policy they deem necessary to operate their business.

Core to a company’s solution should be an easy-to-use interface from which clients can manage their existing cloud infrastructure. At scale, policy enforcement cannot and should not be performed manually. Security automation can discover and automatically take action to address policy infringements or security issues (like an exposed ElasticSearch Database). It also allows for simultaneous offense and defense, resulting in increased innovation and a reduction of risk.

Interested in learning more? Speak with a DivvyCloud expert today!



DivvyCloud minimizes security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes).  First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

Huge Data Leak: 24 Million Financial and Banking Docs Exposed!

Huge Data Leak: 24 Million Financial and Banking Docs Exposed! 

We are barely a month into 2019, and this is the third time we’ve written about a data leak stemming from an unprotected ElasticSearch server.

The first two offenders:

The third offender, according to TechCrunch, was a data and analytics company for the financial industry, based in Fort Worth, Texas, named Ascension. “The company provides data analysis and portfolio valuations. Among its services, the Ascension converts paper documents and handwritten notes into computer-readable files — known as OCR.”

What happened? 
More than 24 million financial and banking documents, representing tens of thousands of loans and mortgages from some of the biggest banks in the U.S., leaked from an ElasticSearch server that was left exposed online without a password.

TechCrunch reported that more than a decade’s worth of data, containing loan and mortgage agreements, and other highly sensitive financial and tax documents were revealed in the misconfiguration, as well as  names, addresses, birth dates, Social Security numbers and bank and checking account numbers, and details of loan agreements.

Why are so many ElasticSearch databases being exposed?
ElasticSearch is an open source, standalone database server developed in Java. Basically, it is used for full-text-search and analysis. It takes in unstructured data from various sources and stores it in a sophisticated format that is highly optimized for language based searches.

Like so many AWS, GCP, Azure, and Alibaba cloud services, ElasticSearch Service is an incredibly powerful and useful service. It is also very challenging for IT professionals, developers, and engineers to consistently configure these powerful services in a way that mitigates security and compliance risk.
First, it is a daunting task to learn about how to configure ever-evolving cloud services correctly — it is like drinking from a firehose. Second, it is even more daunting to know how to do this relative to the security standards (e.g., CIS Benchmark or NIST CSF) and regulatory frameworks (e.g., PCI DSS or HIPAA) that a company chooses to or must comply with. And lastly, it is difficult for any one person or group of people to achieve 100% consistency in applying these standards at the speed and throughput that we ask our tech teams to operate.

In the Financial Service Industry in particular, organizations are experiencing a culture shift as they respond to consumer demand for improved experiences delivered when and how they want them. Building applications and migrating regulated workloads to Amazon Web Services, Microsoft Azure, and Google Cloud Platform offers an attractive way to speed innovation, time to market, and resilience. For financial service organizations to take full advantage of the opportunities public cloud offers, they must ensure that their customers are comfortable with this shift, that clear cloud governance standards are defined, and that they can present evidence of compliance to assessors and auditors.

What’s the solution?
Organizations need an automated cloud security solution that provides the automation essential to enforce policy, thus reducing risk, provide governance, impose compliance, and increase security across large-scale hybrid cloud infrastructure. Security automation should take the pain out of making cloud infrastructures secure in a shared responsibility world by providing a framework for what organizations should be doing via a continuous, real-time process.  By utilizing security automation, companies can stay agile and innovate, while maintaining the integrity of their technology stack and apply the policy they deem necessary to operate their business.

Core to a company’s solution should be an easy-to-use interface from which clients can manage their existing cloud infrastructure. At scale, policy enforcement cannot and should not be performed manually. Security automation can discover and automatically take action to address policy infringements or security issues (like an exposed ElasticSearch Database). It also allows for simultaneous offense and defense, resulting in increased innovation and a reduction of risk.

Interested in learning more? Speak with a DivvyCloud expert today! Or, if you’re in the financial services industry, check out our guide: Ensuring Cloud Security and Compliance in the FInancial Services Industry.



DivvyCloud minimizes security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes).  First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

Feature Release: 18.7 – CIS Kubernetes Compliance Pack, Customized Harvesting, & More

Feature Release: 18.7 – CIS Kubernetes Compliance Pack, Customized Harvesting, & More

Twice a quarter DivvyCloud releases a new version of our software, and we are excited to announce the final release of 2018! Collaboration with our customers and the broader community help shape these releases with improvements to core capabilities around discovery, analysis and automated remediation of cloud and container infrastructure as well as new features and support for the ever-expanding portfolio of services from the major cloud providers.

The primary focus of this release is on performance and optimization. We’ve dramatically updated some of our platform capabilities including a rewrite of our job scheduler which allows you to completely customize your multi-cloud configuration monitoring strategy. We’ve introduced event driven harvesting for AWS (GCP and Azure to come in future releases) to deliver an additional layer of monitoring and improve our real-time automated remediation capabilities. Our new CIS Kubernetes compliance pack allows customers to automatically realize their security postures in their Kubernetes environments (like EKS, AKS, GKE). And finally, our support for Amazon Web Services, Microsoft Azure, and Google Cloud Platform has increased with more than 100 new filters, actions, and general enhancements.

Highlights:


 

1. CIS Kubernetes Compliance Pack

Kubernetes is becoming the container orchestration technology most prevalent across enterprises. As Kubernetes grows in popularity, so too have security concerns about the technology. The publication of CIS Benchmarks for Kubernetes in 2017 by the Center for Internet Security was a major step forward to establish a formal approach to using Kubernetes securely.  The CIS Benchmarks for Kubernetes are a comprehensive set of prescriptive security guidelines intended to provide companies a way to implement safe and reliable Kubernetes clusters. The latest benchmark for Kubernetes can be found below.


The CIS Benchmarks for Kubernetes define over 120 guidelines rules. These rules apply to master and worker nodes. They apply to the control plane components Controller Manager, Scheduler, API Server and etc. In addition, the rules cover the components that are part of each worker node kubelet, kube-proxy, cAdvisor and container network interfaces. With this release, we provide automated discovery, monitoring, remediation, and audit of 42 of these rules. DivvyCloud is well suited to address the security concerns of any company using Kubernetes in the cloud or in private data centers.  Importantly, we view container security holistically, including relevant insights about the supporting and surrounding cloud infrastructure, and important security areas like Identity & Access Management.

DivvyCloud’s automation allows developers to engage in more experimentation and innovation with Kubernetes while also providing the trust and verification that system administrators need to ensure that work is being done according to industry standard security guidelines and well-established best practices. DivvyCloud our approach to supporting the CIS Benchmarks for Kubernetes provide a competitive advantage that is unequaled for companies that put Kubernetes at the forefront of their digital infrastructure.

 

2. Added Cloud Support/Enhancements

  • Amazon Web Services
    • Support for Container Registries and Images
    • Support for Account Level S3 Bucket Access Controls
    • Support for EC2 instance hibernation
    • Support for new A1 and C5n instance types
    • Event driven harvesting (EDH) support for VPC Flow Logs, Dedicated Hosts, Network Peers, Memcache and Elasticsearch Instances, and RDS Aurora clusters
    • Enhanced visibility and lifecycle support for RDS Aurora Clusters
    • Storage of the resource ARN across all resource types
    • Support for AWS Cloudwatch Logs
    • Added support for us-gov-east-1 region
    • Add visibility into whether or not an instance is a spot instance
    • Support for SageMaker Notebooks
    • Add support for tags for IAM users/roles
    • Add ability to suspend and resume processes for Autoscaling Groups
    • Support for the new Stockholm region (eu-north-1)
  • Microsoft Azure
    • Support for Azure Kubernetes Service (AKS)
    • Support for Cosmos DB
    • Support for Graph RBAC
    • Support for Databases
    • Support for Network Peers
    • Visibility into network limits/usage
  • Google Cloud Platform
    • Support for Pub/Sub
    • Support for Service Account Keys
    • Support for tracking VPC flow logging and Google Private Access at the subnet level
    • Support for identifying legacy networks
    • Enhanced GKE visibility and configuration checks
    • Enhanced visibility into GCP Storage buckets

 

3. New Job Scheduler with Customer Harvesting Strategies

Many of our customers have more than 500 cloud accounts with projections they’ll exceed 1,000 accounts in the coming months.  This level of scale, once quite rare, is becoming commonplace and as a result we have rewritten our job scheduler from the ground up and introduced other performance enhancements.  These improvements allow DivvyCloud’s software to ensure the security and compliance of our customers environments, no matter what size and complexity, as they aggressively embrace multi-cloud environments for new projects.. Importantly, the job scheduler now allows you to completely customize your multi-cloud data harvesting strategy.

Customers now have the ability create and modify harvesting strategies by cloud, region, and by resource. In this way, you can better match your harvesting resources with your harvesting needs. For example, you can lower the harvesting cadence in regions where you do not deploy, while not leaving open blind spots to unauthorized usage in those same regions.

This view, in the new section of our tool, has an abundance of data in it.

If you start from left to right, what this is going to give you is the job that we’re using to harvest data down, what resource type it aligns to in DivvyCloud, and then the resource type within each cloud provider.  Then for each resource, you have our default harvesting strategy and the customer override to meet their particular requirements.

Let’s take a look at an example Amazon strategy.

Customers will frequently go into non-continental U.S. regions and they slow down harvesting because they’re a U.S. based business and they don’t need to harvest in Asia Pacific or in India as frequently. Customers will move the slider (in the top left) to go twenty-five times slower and they will see the totals change in the “override column” as the harvesting strategy saves.

 

 

4. Cloud Compliance By Account

Customers who have hundreds of cloud accounts want to be able to see “what are my least compliant clouds vs. my most compliant clouds.”

This data can be exported via PDF so you can get it at the below view if you want to do a quick report of how you’re trending for CIS. You can go ahead and send this off to your compliance team.  

By drilling into account details (below) you see an overall report by day of how you’re trending for the selected pack. You are failing this check if you have one non-compliant resource as it pertains to that check. So it doesn’t matter if you have one API key inactive or a thousand, it’s a non-zero number so you’re clearly failing that particular check. You can also download and export this report as well.

 

Interested in learning more? View the full release notes associated with our 18.7 release, or get your free trial and see our features in action.

 



DivvyCloud mitigates security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes).  First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

Yet Another Huge Data Leak, This Time in Online Gaming

Yet Another Huge Data Leak, This Time in Online Gaming

Earlier this week, ZDNet broke the news that online gaming group, Mountberg Limited, based out of Cyprus, leaked information on over 108 million bets, including customers’ personal information, deposits, and withdrawals, from an ElasticSearch server that was left exposed online without a password.

It is not known who managed the database, but many of the referenced casinos operate under a parent company called Mountberg Limited. Each of these casinos was also operating under the same 1668/JAZ license number issued by the Curacao eGaming authority. The exposed database appeared to contain the betting information for numerous online casinos such as azur-casino.com, easybet.com, stakes.com, viproomcasino.com, casinogym.com, crazyfortune.com, luckyluke.com, and kahunacasino.com.

Customer data such as real names, home addresses, phone numbers, email addresses were just some of sensitive information leaked from this common ElasticSearch server.  This means anyone who found the database would have known the personal details of players who recently won large sums of money, and used that information to scam them in any number of ways.

Just last week we wrote about Voipo, a telecoms company the provides VoIP services, exposing millions of customer call logs, SMS message logs, and credentials due to a similar reason — their ElasticSearch database wasn’t password protected.

Why are so many ElasticSearch databases being exposed? 
ElasticSearch is an open source, standalone database server developed in Java. Basically, it is used for full-text-search and analysis. It takes in unstructured data from various sources and stores it in a sophisticated format that is highly optimized for language based searches.

Like so many AWS, GCP, Azure, and Alibaba cloud services, ElasticSearch Service is an incredibly powerful and useful service. It is also very challenging for IT professionals, developers, and engineers to consistently configure these powerful services in a way that mitigates security and compliance risk.

First, it is a daunting task to learn about how to configure ever-evolving cloud services correctly — it is like drinking from a firehose. Second, it is even more daunting to know how to do this relative to the security standards (e.g., CIS Benchmark or NIST CSF) and regulatory frameworks (e.g., PCI DSS or HIPAA) that a company chooses to or must comply with. And lastly, it is difficult for any one person or group of people to achieve 100% consistency in applying these standards at the speed and throughput that we ask our tech teams to operate.

What’s the solution? 
Organizations need an automated cloud security solution that provides the automation essential to enforce policy, thus reducing risk, provide governance, impose compliance, and increase security across large-scale hybrid cloud infrastructure. Security automation should take the pain out of making cloud infrastructures secure in a shared responsibility world by providing a framework for what organizations should be doing via a continuous, real-time process.  By utilizing security automation, companies can stay agile and innovate, while maintaining the integrity of their technology stack and apply the policy they deem necessary to operate their business.

Core to a company’s solution should be an easy-to-use interface from which clients can manage their existing cloud infrastructure. At scale, policy enforcement cannot and should not be performed manually. Security automation can discover and automatically take action to address policy infringements or security issues(like an exposed ElasticSearch Database). It also allows for simultaneous offense and defense, resulting in increased innovation and a reduction of risk.

Interested in learning more? Speak with a DivvyCloud expert today!


DivvyCloud minimizes security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes).  First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

DivvyCloud Honored as One of Ten “Best Tech Startups” in Arlington, Virginia

DivvyCloud Honored as One of Ten “Best Tech Startups” in Arlington, Virginia

 

We are delighted to announce that for the second year in a row, The Tech Tribune has named DivvyCloud one of the “Best Tech Startups in Arlington, Virginia.”

In doing their research, The Tech Tribune considered several factors including but not limited to:

  • Revenue potential
  • Leadership team
  • Brand/product traction
  • Competitive landscape
  • Additionally, all companies must be independent (un-acquired), privately owned, at most ten years old, and have received at least one round of funding to qualify.

In The Tech Tribune’s words:

DivvyCloud is a leading developer of innovative technology to automate and optimize cloud infrastructure. We deliver multi-cloud infrastructure visibility and automation to improve security, compliance and cost governance. Our software supports all major cloud providers including Amazon, Microsoft, Google, OpenStack, VMware, Rackspace, IBM Softlayer and DigitalOcean.

 

The value of DivvyCloud software has been proven with enterprise customers like General Electric, Discovery Communications, and Fannie Mae, among others. DivvyCloud is differentiated in the market with its native multi-cloud policy automation; its patent-pending data harvesting technology; and its platform-first strategy that allows customers and partners to leverage the DivvyCloud platform to develop their own cloud management solutions and products.”

We are honored by The Tech Tribune’s recognition of DivvyCloud being one of the most successful tech startups in Arlington, Virginia.  

Interested in learning more? Speak with a DivvyCloud expert today!


DivvyCloud minimizes security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes).  First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

Largest Data Breach of 2019 … So Far

Largest Data Breach of 2019 … So Far

Weeks into 2019 and there has already been a huge database exposed. TechCrunch broke the news this week that Voipo, a telecoms company the provides VoIP services, exposed millions of customer call logs, SMS message logs and credentials.

The database had been exposed since June 2018, and contained call and message logs dating back to May 2015. Many of the files contained detailed call records (who called whom, time of call, date, and more). In total, Voipo exposed “seven million call logs, six million text messages and other internal documents containing unencrypted passwords that if used could have allowed an attacker to gain deep access to the company’s systems.”

How did this happen? One of their backend ElasticSearch databases wasn’t protected with a password. A simple misconfigured security control. If we learned anything in 2018, it’s “not only S3 buckets get left open.”

Voipo’s CEO claims that they didn’t find any evidence in their logs or their network to indicate that a data breach occurred, though according to TechCrunch  he “did not say how the company concluded that nobody else accessed the data.” That is a bit hard to believe considering we are living in a world where there are hundreds of thousands of people around the globe continuously (whose job it is even) trying to exploit vulnerabilities.  Maybe Voipo is one of the lucky ones.

DivvyCloud Could Have Helped:

Out of the box, DivvyCloud’s software would have detected this misconfigured instance and automated the remediation to close this vulnerability in real-time.

Like so many AWS, GCP, Azure, and Alibaba cloud services, ElasticSearch Service is an incredibly powerful and useful service. It is also very challenging for IT professionals, developers, and engineers to consistently configure these powerful services in a way that mitigates security and compliance risk.

First, it is a daunting task to learn about how to configure ever-evolving cloud services correctly — it is like drinking from a firehose. Second, it is even more daunting to know how to do this relative to the security standards (e.g., CIS Benchmark or NIST CSF) and regulatory frameworks (e.g., PCI DSS or HIPAA) that a company chooses to or must comply with. And lastly, it is difficult for any one person or group of people to achieve 100% consistency in applying these standards at the speed and throughput that we ask our tech teams to operate.

DivvyCloud solves these challenges for customers like General Electric, Discovery Communications, and Fannie Mae using cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes). First, our software performs real-time, continuous discovery of cloud and container infrastructure allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

In a nutshell, we mitigate security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud and container infrastructure.

Interested in learning more? Get your free trial of DivvyCloud or speak with a DivvyCloud expert today!

Securing Your Microsoft Azure Environment

Securing Your Microsoft Azure Environment

As organizations navigate their digital transformations and embark on adopting Microsoft Azure, one of the biggest challenges they face is ensuring that their new cloud infrastructure is secure.  Many IT leaders and professionals make the mistake of approaching security in the cloud the same way they approached security in a traditional data center. However, in the software-defined world of Microsoft Azure, there is an added wrinkle.  Without a holistic approach to security which includes a view of configuration, you can easily open yourself up to undue risk.

First, understand that security in the cloud is a shared responsibility between the cloud provider and the customer. All of the major cloud providers, including Microsoft Azure, operate under this premise. Microsoft’s Shared Responsibilities for Cloud Computing white paper explains the shared responsibilities a customer needs to be aware of and purposeful in managing  when adopting Azure. In a nutshell, with Azure, Microsoft provides security for certain elements, such as the physical infrastructure and network elements, but Azure customers must be aware of their own responsibilities.  For example, Microsoft provides services to help protect data, but customers must also understand their role in protecting the security and privacy of their data. The best illustration of this issue involves the poor implementation of a password policy; Microsoft’s best security measures will be defeated if customers fail to use complex passwords.

Second, customers are often left with the question, “How do I know what good security looks like in Azure?”  To help answer that question, Microsoft has developed the CIS Microsoft Azure Foundations Security Benchmark, based on the Center for Internet Security’s best practices for protecting public and private organizations from cyber threats. The Azure CIS Benchmark provides guidance for establishing a secure baseline configuration such as how to configure a firewall within Azure or how to set permission levels for various applications. It also provides quantitative scoring of an organization’s Azure security posture.  

Many organizations struggle with this because it is really hard to operationalize the guidance in this document.  You need to have the people who can translate these documents to your environment. You need to have centralized visibility into all the configuration choices being made.  Dealing with software-defined infrastructure in the public cloud is a challenge, especially when empowering developers and engineers with self-service for provisioning and configuration, who may not be familiar with security and having to deal with the rate of change in the cloud. Because cloud technology is always changing, it’s vitally important to understand the configuration choices being made. Validating those configuration choices against security standards becomes far more important for most companies now than in the past because failing to do so can lead to the company to falling victim to the data breaches that we continuously hear about in the news.

Visibility is Key 
It is critical to have a comprehensive view into your cloud environment to identify misconfigurations  as well as to see who has access to what resources and what level of access is permitted.

To avoid this visibility gap and the common misconfigurations, organizations need automation tools that provide full visibility into their cloud infrastructure and the ability to identify and remediate issues on the fly. When it comes to selecting automated systems that deliver continuous security and compliance, here are some top considerations:

  • Support for multiple Azure subscriptions and multi-cloud.  
  • Alerting and remediation (Allows for IFTTT-like automation rule building to enable proactive security).
  • Support for sending incidents to systems like Service-Now.
  • Integrations with systems like Splunk.
  • Support for SAML like PingFed or Okta.
  • Ability to create dynamic groups of resources based on tags.
  • Support for an extensive set of pre-built policies that tie back to common regulatory standards – such as the Azure CIS Benchmark.

Operationalizing Security Benchmarks Through Automation 
Continuous security and compliance in the cloud is essential.  “Trust, but verify” is a common phrase in the cloud computing industry meaning that you should trust that developers and engineers are provisioning and configuring cloud and container services appropriately, but they also need to verify this relative to security, compliance, and governance policies.  

DivvyCloud has taken the pain out of making cloud infrastructures secure in a shared responsibility world by providing a framework for what organizations should be doing via a continuous, real-time process. DivvyCloud’s Cloud Security and Compliance Buyer’s Framework provides a preset list of criteria across several categories to make it easier for organizations to establish common criteria to objectively compare and evaluate competing products. This prescriptive guidance establishes a secure baseline configuration for Microsoft Azure and is implemented in DivvyCloud’s Insight Packs.  These provide immediate and continued visibility into the posture of their Azure environments against the Azure CIS Benchmark, and the use of Bots to automate the remediation of policy violations.

DivvyCloud is a software appliance, not SaaS offering,  which allows enterprise customers to give the software read/write access to their critical infrastructure. The software platform allows customers to use underlying data to drive orchestration, easily extend our product (so they can buy, and build), and allows them to deeply integrate the solution throughout their technology stack. DivvyCloud puts forth policies and monitors them to ensure compliance and provides the active protection necessary throughout an organization’s cloud journey.

Key features of DivvyCloud’s cloud automation platform include:

  • Automating the verification process and makes it easy to automatically remediate policy violations so that the environments are always secure and compliant.
  • Identifying security risks in real-time and take automatic, user-defined action to fix problems before they’re exploited.
  • Automating enforcement of best practices and standards including SOC 2, CIS, PCI DSS, HIPAA, and GDPR.
  • Providing a global tagging policy that allows the use of metadata to assign different levels of security to your data.
  • Improving cloud governance and cloud cost management by enforcing your global tagging policy.

It is important to remember that choosing a cloud provider such as Microsoft Azure does not mean your cloud infrastructure is automatically secure. There are other security considerations that companies must configure in order to be in compliance and ensure that their network and applications are secure. Using established frameworks can provide a baseline for evaluating your security and compliance. This, coupled with an automated cloud management solution, enable organizations to fully operationalize their network in real time and gain visibility and control of their security posture.

Interested in learning more? Get your free trial of DivvyCloud or speak with a DivvyCloud expert today!


Establishing Guardrails with DivvyCloud 
DivvyCloud mitigates security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes).  First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

How Retailers Can Stay Secure in the Cloud in 2019

The 2018 holiday shopping season is in the rearview mirror. In 2017, holiday sales totaled $687.87 billion, and while total numbers aren’t yet in, experts predicted an increase between 4.3 and 4.8 percent for a total $717.45 billion to $720.89 billion in spending. That’s A LOT of consumer data retail companies are responsible for. If retailers are using cloud to revolutionize the customer experience, how are they doing so without creating risk for themselves, their customers, and other stakeholders?

Retail organizations are experiencing a culture shift as they respond to consumer demand for improved experiences in the store and online. Building applications and migrating PCI-regulated workloads to Microsoft Azure and Google Cloud Platform (GCP), and sometimes even Amazon Web Services (AWS), offers an attractive way to respond to competitive pressures, speed innovation, time to market, and resilience.  However, the self-service, dynamic nature of software-defined cloud infrastructure creates unique challenges for risk and compliance professionals in the retail industry.

Processes and tools that worked well in the traditional datacenter do not directly translate to the public cloud.  Due to concerns over Standard Payment Card Industry Data Security (PCI-DSS) compliance and security, as well as the complexity involved in migrating legacy systems, retailers have traditionally taken a tentative approach to public cloud adoption.  However, competitive pressures are driving retailers to jump into the proverbial deep end or risk being left behind and out of business.

Hasty Public Cloud Adoption Can Lead to Compliance Issues: 
According to the  2018 Verizon Payment Security Report, almost half of organizations fail to maintain PCI DSS compliance. For the half that DO achieve full compliance with their annual PCI DSS review, nearly half of those companies then fall out of compliance within a year.

This is incredibly important because 100% of companies that suffered a payment card breach were found to lack compliance with PCI-DSS. The report elaborates on this point, “Many of the security controls that were not in place cover fundamental security principles that have broad applicability. Their absence could be material to the likelihood of an organization suffering a data breach. Indeed, no organization affected by payment card data breaches was found to be in full compliance with the PCI DSS during a subsequent Verizon PCI forensic investigator (PFI) inquiry.”

So why don’t more companies achieve and maintain compliance?
 As stated above, the challenge is that competitive pressures are  hastily pushing organizations to public cloud and they simply don’t have the right staffing levels or the right tools to consistently achieve good outcomes when approaching compliance as a manual task.  Automating policy enforcement is a key element to achieving and maintaining compliance. The report backs this up, “Measure, report and act. Enhance data and security monitoring, detection and response competency through automation, training and performance measurement.”

In this new year, retailers need to go from 0 to 60 overnight, and without creating risk for themselves, their customers, and other stakeholders.  To take full advantage of the opportunities public cloud offers, they must ensure that clear cloud governance standards are defined, that they have real-time automated enforcement of security and governance, risk management and compliance (GRC) policies, and that they can present evidence of compliance to assessors and auditors.

If you’re interested in finding out how to achieve this objective, click here to read, “How to Stay Secure as a Retailer Using Cloud to Revolutionize the Customer Experience.” Use our guide to explore the frameworks that retailers are leveraging to ensure strong governance in the cloud, a roadmap for continuous compliance in the cloud, and how DivvyCloud can help you achieve this goal.


DivvyCloud: Guardrails for Your Cloud Infrastructure
DivvyCloud minimizes security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (Azure, GCP, AWS, Alibaba, and Kubernetes).  First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

 

Cloud Security 2019: What to Watch For in the New Year

Cloud Security 2019: What to Watch For in the New Year

Days into 2019, and the level of overall security concern in public cloud and containers remains high with data breaches and misconfigurations being among the top security concerns.  Many companies feel that compared to traditional IT environments, there is higher risk of data breach and misconfigurations in a public cloud environment. However, many IT leaders and professionals continue to make the mistake of approaching security in the cloud the same way they approached security in a traditional data center. In the software-defined world of public cloud, if you don’t take a holistic approach to security you can easily open yourself up to undue risk.

Dealing with software-defined infrastructure in the public cloud is a challenge, especially when empowering developers and engineers with self-service for provisioning and configuration, who may not be familiar with security and having to deal with the rate of change in the cloud. Because cloud technology is always changing, it’s vitally important to understand the configuration choices being made. Validating those configuration choices against security standards becomes far more important for most companies now than in the past because failing to do so for example, in storage containers, can lead to the company data breaches that we continuously hear about in the news.

In 2018, companies like Fed Ex, Alteryx, National Credit Federation, Verizon, Australian Broadcasting Corporation, Dow Jones, Deep Root Analytics, Robocent, Macy’s, Adidas, GoDaddy, SpyFone, etc. exposed sensitive, personal information for hundreds of millions of people from around the world.  Verizon reported that in 2018 there was 2,216 confirmed data breaches across 65 countries. 28 percent of those incidents were perpetuated by insiders. More than half of those breaches by outsiders were done by malicious or criminal attacks. As we move into 2019, we can expect to see more of the same and we can also expect the average cost of a data breach to continue to skyrocket.

In July, IBM and Ponemon Institute released the 2018 Cost of Data Breach Study: Global Overview which showed an increase in stolen data records and in cost of data breaches year over year.

                                                                                                                                                                                                                                  Source: 2018 Cost of Data Breach Study

The average total cost of a data breach from 2017 to 2018 rose from $3.62 to $3.86 million an increase of 6.4 percent.  If that rate of growth remains constant into 2019, we will see the average cost of a data breach rise to around $4.11 million.

Keep in mind, that’s a global average. In which country are data breaches the most costly? If you guessed the United States, you’d be correct. The average total cost in the United States was $7.91 million. That trend will follow us throughout 2019.  If we tack on that year over year increase of 6.4 percent, then we could see the average total cost of a data breach in the United States reach around $8.42 million in 2019.

Here’s the 2019 challenge: How does an enterprise decentralize control across a large organization and still simultaneously enforce standards that allow them to mitigate risk avoiding data breaches?

The answer:  Automation.

  • The average cost of a breach for organizations that fully deploy security automation is $2.88 million
  • Without automation, estimated cost is $4.43 million, a $1.55 million net cost difference!

That means that organizations who deploy security automation realize a much lower total cost of a data breach at $1.55 million or a savings of almost 35%. Remember, it’s a matter of “when,” not “if” your organization suffers a data breach. Unless you consider your company in a better position than Adidas, Macy’s, Marriott, Facebook, or the other enterprises that suffered a data breach in 2018, then not employing security automation will cost you even more in 2019.

How can DivvyCloud help? DivvyCloud provides the automation essential to enforce policy, thus reducing risk, provide governance, impose compliance, and increase security across large-scale multi-cloud infrastructure. By utilizing our platform, companies like Discovery, Twilio, General Electric, Kroger, Fannie Mae, Turner, and Autodesk stay agile and innovate, while maintaining the integrity of their technology stack and apply the policy they deem necessary to operate their business.

Core to DivvyCloud’s platform is an easy-to-use interface from which clients can deploy more than 125 standard bots or create their own for specific use cases to manage their existing cloud infrastructure. At scale, policy enforcement cannot and should not be performed manually. DivvyCloud customers can discover and automatically take action to address policy infringements or security issues. Automation allows for simultaneous offense and defense, resulting in increased innovation and a reduction of risk.

Within enterprises, the pace of migration from data centers to a public cloud or hybrid cloud infrastructure has ramped significantly over the last couple of years. Gartner predicts as enterprises become “cloud-first”, spend for cloud management and security services are estimated to grow to $14B by 2020.

Recent news cycles and reports (like Ponemon’s 2018 Cost of Data Breach Study: Global Overview) about the cost of compliance violations and security breaches only buoy the case and support the need for automation at enterprises to operate cloud infrastructure at scale. Rather than single-vendor source, enterprise customers are implementing a multi-cloud approach that requires third-party tools to optimize environments.

DivvyCloud has built a flexible, extensible platform that helps manage compliance, cost, and security. The solution builds an infrastructure map then detects abnormalities in real time based on client specific rules. Bots warn of violations of policy and automate the remediation.

To learn more about how DivvyCloud is helping its clients unlock innovation through cloud automation while keeping them secure and compliant in 2019, speak with a DivvyCloud expert or install DivvyCloud with a free 30-day trial today.

Managing the Kubernetes Security Flaw

Managing the Kubernetes Security Flaw

News broke earlier this week about the discovery of Kubernetes’ first major security hole.  The flaw provided an invisible way to hack into the popular cloud container orchestration system.

According to Wei Lien Dang, VP of products for StackRox, in a statement provided to CIO Dive, the vulnerability was severe and broadly applicable, affecting every version since v1.0 and potentially every Kubernetes user, making it the first major security hole for the popular container orchestration system.

Red Hat fixed the security hole by releasing patches immediately after the flaw was reported which would have been installed with widely used automatic security updates.  

“Those quick fixes underscore how security teams react to the inevitable vulnerabilities that surface in enterprise distributions of open-source software, especially popular microservices platforms like Kubernetes that are widely used to deliver distributed applications.” – George Leopold, Enterprise Tech

The task of managing these massive, distributed, systems built on open source technologies is complicated. Because of the open source code base, a worldwide team – both white hat and black hat – can examine the code to find flaws. As new vulnerabilities emerge, companies need to be able to respond in real time, potentially building policies on the fly to identify and then deprecate outdated or vulnerable systems. This relies on the organizations have good, central visibility and up-to-date real-time asset inventories in extremely dynamic environments.

The key tenets of managing these environments is the same as the general security best practices anywhere. Start with knowing what you have. You can’t protect if you can’t see it. And with the dynamic nature of cloud, and containerized environments in particular, getting and maintaining this visibility has be done programmatically and repeated on a continuous basis.

After identifying where the enterprise may be vulnerable, the next challenge is to find ways to remediate and replace vulnerable systems as quickly as possible. Thankfully, in software-defined infrastructure, this can actually be much faster than in traditional data centers. But again, it does rely on the organization knowing what it has, and then defining rules that shed light on the vulnerable infrastructure and workloads

Finally, a proven approach for maintaining the inventory, coupled with tools that allow the customer to define desired good-state or blacklists, on the fly, is key to reacting to new developments.

At DivvyCloud, our software simplifies the job of securing Kubernetes clusters and workloads across public clouds including Amazon Web Services, Google Cloud Platform, Microsoft Azure, and Alibaba Cloud. If you’re interested in learning more, get your free trial of DivvyCloud or speak with a DivvyCloud expert today!

If you’d like to read more on securing Kubernetes, check out our white paper “A Holistic Approach to Securing Kubernetes that Integrates Culture and Technology.


DivvyCloud minimizes security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes).  First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

 

AWS re:Invent 2018: DivvyCloud’s Key Takeaways

AWS re:Invent 2018: DivvyCloud’s Key Takeaways

DivvyCloud was proud to be a sponsor of AWS re:Invent 2018 where we shared how we deliver continuous security and compliance for AWS and Kubernetes (along with Azure, GCP, Alibaba Cloud) to customers like Twilio, 3M, Autodesk, General Electric, and Fannie Mae.

One of the high points of re:Invent was when AWS CEO Andy Jassy took the stage and made it very apparent that AWS is moving full steam ahead.  Jassy spoke on the new AWS security tools, AWS Outposts, machine learning strategies, as well as Amazon’s new headquarters, one of which is only a couple of miles away from our office in Arlington, Virginia.

Here are four announcements we wanted to highlight in case you missed them or wanted to learn more:

  • AWS Outposts: AWS made a big push into the hybrid cloud space with Outposts, which brings native AWS services, infrastructure, and operating models to virtually any data center, co-location space, or on-premises facility. This is a fascinating initiative for many reasons. Many companies and projects have tried to bring public cloud functionality into private data centers, from Eucalyptus (now defunct, after being acquired by HPE, and later passed to AppScale) to OpenStack. This only reinforces the simple fact – for real cloud convenience, the hardware and software have to work together. But why would customers embrace Outposts? Despite strong innovation in the security space, going to the point where many people feel that public cloud is more secure than private data centers, there is still a perception amongst many enterprises that core intellectual property (often called the “crown jewels”) belongs on hardware that the enterprise can own and touch. Also, there are situations of data gravity where the transit costs and times to and from public cloud are not practical.
  • AWS re:Inforce:  The first AWS Security Conference: AWS re:Inforce 2019 was announced.  The event is being billed as “a hands-on gathering of like-minded security professionals,” and will take place in Boston, MA on June 25th and 26th, 2019 at the Boston Convention and Exhibition Center. The cost for a full conference pass will be $1,099. Attendees will get a deep dive into the latest approaches to security best practices and risk management utilizing AWS services, features, and tools.  DivvyCloud will be there talking about how our software helps our customers consistently and effectively use AWS security and management tools. During the conference, AWS will offer multiple content tracks designed to meet the needs of security and compliance professionals, from executives to security engineers, and everything in between.
  • AWS Security Hub: Available now in preview, this service allows AWS customers to centrally view and manage security alerts and automate compliance checks within and across AWS accounts. Importantly, it will aggregate security findings from AWS and partner services and present you with built-in and customizable insights that are unique to your environment.  Security Hub will be an excellent tool for customers running in only AWS who want to gain a consolidated view of alerts and checks across their environment and have a base-level of requirements. For advanced and enterprise customers, looking for multi-cloud capabilities, integration with existing systems like Splunk and ServiceNow, and an automated multi-cloud remediation, there is DivvyCloud.
  • AWS Control Tower:  AWS Control Tower is now available in limited preview.  This new service helps you automate the set-up of a well-architected multi-account AWS environment based on best practices, and also guides you through a step-by-step process to customize Control Tower to your organization. It will automate the creation of an AWS Landing Zone with best practice blueprints including:

    Configuring AWS Organizations to create a multi-account environment
    • Federating access using AWS Single Sign-On
    • Centralizing logging using AWS CloudTrail and AWS Config
    • Enabling cross-account security audits using AWS IAM
    • Implementing network design using Amazon VPC
    • Defining workflows for provisioning accounts using AWS Service Catalog

    Guardrails (a term that DivvyCloud has been championing for years), both mandatory and recommended, will be available for high-level, rule-based governance. Customers will also have access to an integrated dashboard where they can review accounts provisioned, the guardrails that are enabled, and compliance status.  This will be a great entry-level tool that will be perfect for many of the customers who today operate only in AWS and have fairly straightforward requirements. 

What does DivvyCloud think about the new AWS security tools?

The security tools are a very positive sign that AWS is taking the enterprise concerns seriously. As customers expand their cloud footprint, often embracing a multi-account strategy to limit blast radius or segregate workloads for chargeback, the complexities of multi-account management come to the front of mind. These tools help to alleviate that experience.

However, what about the modern enterprise that is cloud agnostic, multi-cloud for either workload or strategic reasons? We believe that this reinforces DivvyCloud’s mission – providing a central, unified, policy-driven approach to automated real-time security across all public clouds. We also think that security hub is a great start, but doesn’t address the needs of the most complex organizations, whose security and compliance standards are built not only on best practices like the CIS Benchmarks but also on regulatory standards like HIPAA, NIST, PCI, FedRamp, GDPR; as well as on internal corporate standards. Customers need to leverage a broad library of tools to build their own security policies.

What about outside of the areas of infrastructure and security?

AWS continues to reinforce its position as the most customer-centric company in the world. The additional services, ranging from storage, to compute, to data lakes, machine learning and much, much more are all aligned around new customer use cases and workloads. Admittedly, some services launch with a very narrow set of capabilities, but Amazon has proven its ability to iterate quickly and broaden to meet market demand. Case in point is the expansion of a previous re:Invent highlight, AWS Lambda, to include support for all coding languages.

As the conference progressed, we engaged with many customers to discuss their security requirements, and one other theme that emerged from those conversations was that their needs are real-time and they are often absolute. This means that simply finding problems is often necessary, but not sufficient. They need the ability to leverage an automation library to remain secure and within their guidelines – continuous compliance.

There were many other announcements, and AWS has handily provided a summary of the launches, previews, and pre-announcements from Andy Jassy’s keynote.

So, are you ready to see how DivvyCloud can simplify your cloud environment, optimize your resources, provide new insights, and automate your security policy? Get your free 30-day trial of DivvyCloud, or speak with a DivvyCloud expert to get started today.


DivvyCloud minimizes security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes).  First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

Marriott’s Massive Data Breach Exposes 500 Million Accounts

Marriott’s Massive Data Breach Exposes 500 Million Accounts

News broke today that hotel group Marriott suffered a massive data breach exposing the records of up to 500 million customers.

What Happened?

The hotel giant received an alert from an internal security tool in September, regarding an attempt to access the Starwood guest reservation database. The ensuing investigation revealed that there had been unauthorized access to the Starwood network since 2014. An unauthorized party had copied and encrypted information, and took steps towards removing it. Marriott was successful in decrypting the information on November 19th, and found that it was from the Starwood guest reservation database.

What Data Was Exposed?

In a statement filed with regulators, Marriott said they believe the duplicated information in the database contains data on up to approximately 500 million guests who made a reservation at a Starwood property. “For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates.”

It’s too early to know what missteps led to the breach of data (we will update this article with new information) tied to as many as 500 million guests at hotel giant Marriott International Inc.’s Starwood reservation system, but data leaks such as this one continue to be an issue. Most data leaks are not a failure of technology, but rather a human error. This could be a misconfiguration or even just a failure of standard corporate processes. It is not a matter of if a misconfiguration will occur, but a matter of when it will occur and how quickly it will be discovered and exploited. Without standards and automation, companies are sitting ducks. In either case, we can expect to see more issues like this one until we start holding organizations accountable for data leaks.

More 2018 Data Breaches:

We are living in a world where there are hundreds of thousands of people around the globe continuously (whose job it is even) trying to exploit vulnerabilities. Regardless of how the breach occurs, typically, it’s because of an approach to compliance that is manual and periodic rather than continuous. Inevitably, that creates a cycle of being in and out of compliance.  The problem is that even a brief lapse in compliance opens up a window that can and will be exploited. When you don’t achieve continuous compliance through monitoring and automated remediation, then it’s only a matter of time before you join the growing list of companies mentioned above who have to explain to their customers that their information has been compromised.

In the cloud?  If so, get your free trial of DivvyCloud or speak with a DivvyCloud expert today and explore how we can secure your entire cloud environment.


DivvyCloud minimizes security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes).  First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

Deploying Kubernetes Across Multiple Clouds

Kubernetes is essentially a container orchestration platform. It is NOT a container runtime (software that executes containers and manages container images on a node), meaning it doesn’t replace Docker.  Docker is what Kubernetes uses on each node (a worker machine which may be a VM or physical machine depending on the cluster) to run the containers. Kubernetes is in charge of deploying the containers to the specific nodes that have the capacity, or where they need to be based on labels or tagging. It can also handle dealing with the software-defined networking layer that allows the containers to talk to one another, and services like Load balancing all inside the Kubernetes cluster.

What Kubernetes is not, as mentioned before, is a runtime.  You still have Docker underneath the “covers” running a lot of these containers, though that may change in the future as Google begins to bring on more container runtimes like gVisor.  But for now, Docker is still a required component.

Why Cross Cloud?

  • Business – Avoid vendor lock-in and ensure the best price per resource
    A lot of companies don’t want to be locked into a vendor.  We all played the Datacenter game and know how painful it can be when you get locked into a long-term contract.  It doesn’t provide you the flexibility you need as an enterprise. Furthermore, you really can’t engage in optimal pricing negotiating if they know they’ve “got you by the tail.”  They know you can’t leave their environment, so avoiding vendor lock-in is just a good business practice for you to make the best business decisions.
  • Stability – Keep applications online, even during a catastrophic cloud outages
    Cloud outages do happen.  Last year someone took down all of the Amazon east coast by running the wrong rm-rf command on node. These things happen and the reality is technology fails, but people fail way more often. We are likely to see more stability issues as systems become more and more complex. So it’s important to spread yourself across multiple clouds to ensure that your application is still up and running and making money in the event one of the cloud providers goes down.
  • Best in class services – Take advantage of the best service cloud providers have to offer.
    Providers are beginning to commoditize meaning the infrastructure layer is becoming the same across all providers. Servers, load balancers, etc. are all generally the same and operated the same.  The differentiators are Google focusing on AI and machine learning, and Amazon has some excellent database service technologies like their Relational Database Service (RDS) and DynamoDB.
  • Security — protect your data by replicating across multiple data storage systems.
    We are seeing a lot more ransomware out there, and companies being held hostage if their Amazon account is compromised.  You need to make sure you spread yourself out so in the event you are compromised, you can protect yourself and isolate the area that has been compromised. This will allow you to maintain your running applications and deal with the situation in the other cloud provider.

Kubernetes makes all of this possible because it allows for effortless application portability.  You can move applications from one server to the other server, in fact, the Kubernetes cluster is going to be doing it all the time for you as part of the orchestration layer.

How Do You Deploy Across Multiple Clouds?

Kubernetes believes in a multi-cloud environment, if not just because of Amazon and Google, also because there are many enterprises that still run a lot of data center workloads and probably will be for some time to come.  Public cloud is not always cheaper, and not always the best option, so you need to make sure you can create a Kubernetes cluster that works across multiple locations whether it be in public or private clouds. This is very important to Kubernetes.

This is what our application looks like today. We’ve pre-configured an Amazon environment and a Google environment both with a VPC. Amazon has the “.200,” and Google has the “.201.”  They have DNS, internet connectivity, and everything you would need necessary to run. This is what it would look like if you deployed Kubernetes Clusters in each one of those environments: you’d have independent load balancers, independent Kube apps, and Kubernetes clusters, independent databases, etc. However, you want to take the next step of linking these networks together so you can deploy a Kubernetes Cluster across both VPCs simultaneously.  So how do you go about doing that? Find out by watching our videoHow to Architect Kubernetes to Support Multi-Cloud Applications” where our CEO Brian Johnson walks you through best practices for designing Kubernetes to enable multi-cloud.

If interested in learning more about securing Kubernetes, check out our white paper “A Holistic Approach to Securing Kubernetes that Integrates Culture and Technology.”

At DivvyCloud, our software simplifies the job of securing Kubernetes clusters and workloads across public clouds including Amazon Web Services, Google Cloud Platform, Microsoft Azure, and Alibaba Cloud. If you’re interested in learning more, get your free trial of DivvyCloud or speak with a DivvyCloud expert today!


DivvyCloud minimizes security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes).  First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

Visit DivvyCloud at AWS re:Invent at Booth #2937 in The Expo

Are you ready for AWS re:Invent 2018?

DivvyCloud is excited to be a sponsor of re:Invent 2018 and hope you already have your tickets (since the event is now sold out).  If you haven’t already done so, we highly recommend you take advantage of reserved seating for breakout sessions. And we also suggest you come by and visit DivvyCloud at booth 2937 in The Expo.  Members of our executive team, product team, and sales team will all be at the booth. We’d love to hear more about your cloud and container security challenges. We can share how we use automation to help customers like Twilio, Autodesk, 3M, General Electric, and Discovery maintain continuous security and compliance in AWS and Kubernetes (along with Azure, GCP, and Alibaba Cloud).

Last year, 43,000 people attended re:Invent and more are expected this year.   What’s great is that this year, AWS will be repeating their most popular sessions in every venue all across the re:Invent campus.  This should help solve some of the challenges from last year where it could be super hard for attendees being able to get to the sessions important to them.  AWS has made significant investments to make it easier for attendees to move from place to place, while also reducing the need for them to do so!

Improve your security and compliance in AWS
We will be in Vegas, but we don’t recommend gambling with security and compliance in AWS.  If you want to improve your security  immediately please schedule a meeting with our experts at re:Invent. We’d love to learn more about your goals, plans, and challenges and give you a demo of DivvyCloud so you can see our solution in action.

Take Our Survey for a Chance to Win a LEGO Star Wars Millennium Falcon
When you visit us at Booth 2937 in The Expo make sure you ask about taking our 5-minute survey for a chance to win a LEGO Star Wars Ultimate Millennium Falcon.

DivvyCloud Overview
DivvyCloud helps you achieve continuous security, compliance, and governance while embracing the dynamic, software-defined, self-service nature of public cloud and container infrastructure.  Customers like Kroger, Twilio, Autodesk, Discovery, Pizza Hut, Fannie Mae, Turner, and General Electric use DivvyCloud to automate the detection and remediation of cloud and container infrastructure misconfigurations that violate policy. DivvyCloud enables these industry leaders to take full advantage of agility and speed of cloud and container technology, while actually strengthening their security and compliance posture. This is a double win that increases productivity, innovation, and profitability while decreasing risk.

DivvyCloud performs real-time, continuous discovery and monitoring of resources in Amazon Web Services, Microsoft Azure, Google Cloud Platform, Alibaba Cloud, and Kubernetes. This data is distilled into actionable insights and presented through a single-pane-of-glass console that provides an assessment of your holistic security and compliance posture. DivvyCloud offers more than 165 out-of-the-box policies that map to best practices and standards including SOC 2, CSA CCM, PCI DSS, NIST CSF, NIST 800-53, ISO 27001, CIS, FedRAMP CCM, HIPAA, and GDPR. Customers enable these out-of-the-box, or configure custom, cloud-native policy guardrails (“Insights”). Policy violations are flagged in real-time, and customers can automate remediation with out-of-the-box, or custom, workflows (“Bots”) that integrate with 3rd party systems like Splunk and ServiceNow. These workflows are fully configurable and can incorporate a full range of lifecycle actions that are contextually allowed by the resource in violation. For example, the workflow may Modify Security Groups, Disassociate Public IP, or Terminate Instance when remediating a compute instance in violation of policy.

DivvyCloud is designed for security, cloud, infrastructure, compliance, and governance professionals who want to identify risks in real-time and take automatic, user-defined action to fix problems before they’re exploited.

Navigating Your Multi-Cloud Tagging Strategy

Navigating Your Multi-Cloud Tagging Strategy

Many companies are embracing multi-cloud strategies and in doing so need to be very purposeful in creating global tagging strategies that will work across all clouds.  All cloud providers are not created equal when it comes to tagging and have different limitations. It is important that your global tagging policy does not violate any of the limitations of any of the cloud providers that you use today or will possibly use.  

Whether you’re starting your tagging strategy from scratch or “retrofitting” your current cloud infrastructure, here’s how your organization can tackle the challenge: Design your tagging strategy using the lowest common denominator approach.  In other words, design it to accommodate the various and distinct limitations of each major cloud provider. This lowest common denominator approach will ensure that you don’t end up with a fragmented tagging strategy. Fragmentation of your strategy is a sure fire way to reduce its usefulness and longevity.


DivvyCloud recommends the following tagging strategy design to accommodate all major cloud providers:

  • Maximum Key Length (driven by GCP): 63 Characters
  • Maximum Value Length (driven by GCP): 63 Characters
  • Maximum # of Tags Per Resource (driven by Azure): 15 Tags
  • Case Sensitive
  • Keys and values can only contain lowercase letters, numeric characters, underscores, and dashes. International characters are allowed.
  • Label keys must start with a lowercase letter and international characters are allowed.
  • Label keys cannot be empty
  • Tag names can’t contain these characters: <, >, %, &, \, ?, /, @
  • AWS-generated tag names and values are automatically assigned the aws: prefix, which you cannot assign. User-defined tag names have the prefix user: in the Cost Allocation Report.
  • Use each key only once for each resource. If you attempt to use the same key twice on the same resource, your request will be rejected.
  • You cannot tag a resource at the same time you create it. Tagging requires a separate action after the resource is created.
  • You cannot backdate the application of a tag. This means that tags only start appearing on your cost allocation report after you apply them, and do not appear on earlier reports.
  • Tags applied to the resource group are not inherited by the resources in that resource group.
  • Tags can’t be applied to classic resources such as Cloud Services.

 

Keep in mind, all of the providers are regularly expanding their tagging support, but best to plan for today and expand later when able to.

Now on to a few different strategies based on where you are today in your global tagging strategy journey.

How to Create and Deploy an Effective Tag Strategy

Starting from scratch: When launching your tagging strategy as part of the provisioning process, ensure that your tags represent all the needs of your organization. This will take planning and collaboration across several departments – from finance to operations to each of the business units that use the cloud as part of their workflow – and it’s best to put in a lot of effort before deployment. If your organization doesn’t address all the tags needed at launch, it means a lot of work will be needed after deployment. In general, more tags are better than fewer tags, just as long as the tags are standardized and well-documented to eliminate input mistakes and redundancy. Once your strategy is fully fleshed out, it’s best to implement it with as much automation as possible to eliminate human error and potential gaps.

Retrofitting your existing cloud infrastructure: When dealing with a messier implementation scenario, such as adding tags to an existing cloud infrastructure, there is no easy button.  Take a phased approach. Establish your policy and begin to implement it first within the IT departments. Once you have full compliance here then move on to developers and engineers in business units or who sit outside of central IT.  Start in all cases on applying this policy to all net new resources and build this muscle memory. Establish the value of tagging with all the parties involved. Demonstrate the benefits to everyone in the organization – up and down the company hierarchy.  Once you have buy-in then begin to move through legacy environments and update tags. Do so on some type of incremental basis that limits the period and frequency of disruption to the people who will have to inform or execute this effort.

Developing and implementing a strong tagging strategy works best when your organization is starting with a clean slate. That way, tags can be implemented, standardized, and enforced as part of the provisioning process. Starting from scratch also lets administrators fine-tune the tagging process moving forward: New and updated tags can be added cleanly and seamlessly as new code bases are deployed.

Unfortunately, few organizations have the luxury of starting their efforts with a blank canvas. Instead, most tagging strategies are implemented as a “uh oh, we need to address this” measure — a necessary reaction to an increasingly complex and diverse cloud infrastructure. Perhaps the company has grown quickly or moved more critical resources to the cloud over the years. Maybe the cloud provider has made additional resources available for tagging. In other scenarios, organizations may have implemented effective tagging strategies already, but a merger or acquisition requires getting an inherited infrastructure up to speed.

With an effective tagging strategy, any organization can achieve a greater sense of clarity and structure within a multi-cloud infrastructure. Your tagging strategy can start simply and seamlessly and over time, it can mature and grow in complexity as your business evolves and scales. All you need is a solid tagging foundation, an understanding of best practices, and an inspired first step.

If you’re interested in learning more about effective tagging strategies, download our new white paper – Take Control: Multi-Cloud Tagging Strategies for the Win.

IBMs Data Breach Study – Which Industries Have the Highest Cost?

In July, IBM and Ponemon Institute released the 2018 Cost of Data Breach Study: Global Overview in which they conducted interviews with more than 2,200 IT, data protection, and compliance professionals from almost 500 companies that have experienced a data breach in the last year.  Their report shows an increase in stolen data records and in cost of data breaches year over year.

 .                                                                                                  Source: 2018 Cost of Data Breach Study

Year Over Year Comparison:

  • The average total cost rose from $3.62 to $3.86 million an increase of 6.4 percent
  • The average cost for each lost record rose from $141 to $148, an increase of 4.8 percent
  • The average size of the data breaches in this research increased by 2.2 percent

Data Breach Costs Per Industry:

                                                                                                                  Source: 2018 Cost of Data Breach Study

As shown in the above chart, heavily regulated industries such as healthcare and financial organizations have the highest per capita data breach cost. According to Healthcare Informatics, for the eighth year in a row, healthcare organizations had the highest costs associated with data breaches – costing them $408 per lost or stolen record – nearly three times higher than the cross-industry average ($148). The next highest industry was financial services with an average of $206 per lost or stolen record.

Here’s the challenge: how does an enterprise decentralize control across a large organization and still simultaneously enforce standards that allow them to mitigate risk avoiding data breaches? If they open Pandora’s Box to innovate, can they maintain integrity across a large infrastructure to properly operate?

The answer:  Automation.

  • The average cost of a breach for organizations that fully deploy security automation is $2.88 million
  • Without automation, estimated cost is $4.43 million, a $1.55 million net cost difference

How can DivvyCloud help? DivvyCloud provides the automation essential to enforce policy, thus reducing risk, provide governance, impose compliance, and increase security across large-scale multi-cloud infrastructure. By utilizing our platform, companies like Discovery, Twilio, General Electric, Kroger, Fannie Mae, Turner, and Autodesk stay agile and innovate, while maintaining the integrity of their technology stack and apply the policy they deem necessary to operate their business.

Core to DivvyCloud’s platform is an easy-to-use interface from which clients can deploy more than 125 standard bots or create their own for specific use cases to manage their existing cloud infrastructure. At scale, policy enforcement cannot and should not be performed manually. DivvyCloud customers can discover and automatically take action to address policy infringements or security issues. Automation allows for simultaneous offense and defense, resulting in increased innovation and a reduction of risk.

Within enterprises, the pace of migration from data centers to a public cloud or hybrid cloud infrastructure has ramped significantly over the last couple of years. Gartner predicts as enterprises become “cloud-first”, spend for cloud management and security services are estimated to grow to $14B by 2020.

Recent news cycles and reports (like Ponemon’s 2018 Cost of Data Breach Study: Global Overview) about the cost of compliance violations and security breaches only buoy the case and support the need for automation at enterprises to operate cloud infrastructure at scale. Rather than single-vendor source, enterprise customers are implementing a multi-cloud approach that requires third-party tools to optimize environments.

DivvyCloud has built a flexible, extensible platform that helps manage compliance, cost, and security. The solution builds an infrastructure map then detects abnormalities in real time based on client specific rules. Bots warn of violations of policy and automate the remediation.

To learn more about how DivvyCloud is helping its clients unlock innovation through cloud automation, speak with a DivvyCloud expert or install DivvyCloud with a  free 30-day trial today.

By utilizing platforms like DivvyCloud and exercising the power of automation, enterprises can be agile enough to delight their customers, while still being able to sleep at night.

Another S3 Bucket Leak – PocketiNet’s Data Exposed!

Another S3 Bucket Leak – PocketiNet’s Data Exposed!

And the data leak trend continues … TechCrunch broke the news this week that PocketiNet, an internet provider based in Washington State, left an Amazon S3 bucket open for at least six months!  “Worse, it took the company a week to shut off the leak, despite several phone calls and emails warning of the exposure.”

Very popular on the west coast, PoketiNet provides high-speed internet access to thousands of homes, local multi-national corporations, and hospitals across Washington state.  Nonetheless, it’s time to add this company to the list of S3 bucket leaks that have exposed sensitive, personal information for hundreds of millions of people from around the world this year.

 

According to MotherBoard:

PockiNet left 73 gigabytes of essential operational data publicly exposed in a misconfigured Amazon S3 storage bucket for six months.

Said bucket, named “pinapp2,” contained the “keys to the kingdom,” according to the security firm UpGuard, including internal network diagramming, network hardware configuration photos, details and inventory lists—as well as lists of plain text passwords and AWS secret keys for Pocket iNet employees.

How did these S3 Buckets get exposed?
We don’t know for sure, but often times the S3 Bucket configuration is incorrect. The created container permissions may have been too broad which allows anyone to access the data (as may be the case with PocketiNet). Again, their S3 Buckets may have been serviced by people who aren’t familiar with security, thus the developer who created the container was unaware of how to properly secure it, or it was something as simple as an oversight.  For example, in PocketiNet’s case, they may have had a developer who was troubleshooting an issue that was causing an application to fail and suspected the S3 Bucket access was to blame. The developer may have tweaked the S3 configuration leaving it open to the public, and as the application began working again, moved on to another project. Now they have an exposed S3 Bucket. It may not have even been the developer’s fault as someone else may have altered the bucket’s configurations at a later date for any number of reasons. The point is, so many organizations are made vulnerable because a lot of them don’t have processes that prevent insecure software deployments.

How do organizations avoid S3 bucket leaks?
For starters, PocketiNet could have done nothing. Amazon S3 buckets are private by default and can only be accessed by users that have been explicitly given access. Again, by default, the account owner and the resource creator are the only ones who have access to an S3 bucket and key, so someone has to actively misconfigure an S3 to expose the data.  

Amazon has been actively working to help companies avoid breaches caused by misconfiguration.  In November 2017 AWS added number of new Amazon S3 features to augment data protection and simplify compliance.  For example, they made it easier to ensure encryption of all new objects and monitor and report on their encryption status.  They have also provided guidance on approaches to combat this issue, like the use of AWS Config to monitor for and respond to S3 buckets allowing public access.

As a most basic first step to avoiding S3 bucket leaks, take advantage of the native AWS capabilities.  Ensure that you are always purposefully using AWS S3 access policies to define who can access the objects stored within. Ensure your team is well trained to never open access to the public, unless absolutely necessary, as doing so can result in the exposure of PII and other sensitive data. And help prevent unauthorized access to your data by taking advantage of capabilities like AWS Config.  

The challenge is that many organizations struggle to adopt and enforce best practices consistently, and only 100% consistency can ensure protection against a breach.  This is why an investment in cloud operations is a vital additional step.

Invest in Cloud Operations:
Cloud operations, or CloudOps, is the combination of people, processes, and tools that allow for organizations to consistently manage and govern cloud services at scale. Key to this is hiring and developing the right people, identifying processes that address the unique operational challenges of cloud services, and the automation of these processes with the right tools.  One vital tool in your CloudOps toolkit should be software like DivvyCloud, that monitors and remediates cloud misconfigurations allowing you to achieve continuous security and compliance at scale.

In about 15 minutes, you can install DivvyCloud, connect your cloud (AWS, Azure, and GCP) accounts, quickly see S3 buckets that are misconfigured, and then turn on real-time continuous automated remediation of misconfigured buckets.

For example, using DivvyCloud, an organization will be able to leverage automation to remove the public permissions from the access control list where necessary.  Users can also leverage bucket policies in place of access control lists for the finer-grained access control. This automation prevents data breaches by finding, alerting, and remediating misconfigured storage containers way before vulnerabilities are exposed.

It’s important to highlight that DivvyCloud not only flags the problem in real-time but gives the user an exact pointer to where the problem is. If somebody were to tell you “there is an open S3 bucket” but didn’t narrow down to a granular level, where would you start?  This is why DivvyCloud alerts that there is an open S3 Bucket, then takes action and informs the user to exactly which bucket in which account.

In the end, the way to avoid exposing data in S3 buckets is really common sense: Don’t ever configure the S3 buckets to be exposed to the public. Organizations need to learn about security configurations while evaluating their public cloud options or pay someone else to do it for them. Otherwise, it’s only a matter of time before they join the 14 aforementioned organizations in the growing list of those who have to explain to their customers that their information has been compromised.

Make S3 bucket leaks a thing of the past (now and forever). Install DivvyCloud with a  free 30-day trial or speak with a DivvyCloud expert today!


DivvyCloud mitigates security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes). First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

How Anthem’s Massive Data Breach Could Have Been Avoided

As initially reported by Bank Info Security editor, Marianne McGee, Anthem, one of the world’s largest health insurers, recently suffered the largest-ever HIPAA fine at $16 million due to a 2015 data breach which affected nearly 79 million customers.

“The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” says OCR Director Roger Severino.

“Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information. We know that large healthcare entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR.”

Identity and Access Management

According to Gartner, Identity and Access Management (IAM) is the security discipline that enables the right individuals to access the right resources at the right times for the right reasons. IAM is particularly important in the increasingly complex and heterogeneous technology environments of companies operating multiple clouds and cloud accounts.  The discipline includes the organizational policies for managing digital identity as well as the technologies needed to support identity management.

IAM is an area where many developers and engineers lack expertise and as a result, many are extremely hesitant about making configuration choices and often can inadvertently make poor choices.  There is an enormous risk for an organization when IAM is handled incorrectly as seen with Anthem.

Anthem’s IAM policies didn’t meet industry or regulatory standards and this was evident by their lack of adequate minimum access controls. Further illustrated by their lack of an enterprise-wide security risk assessment, their insufficient procedures to regularly review information system activity, and failure to identify and respond to suspected or known security incidents. These critical areas of security weakness led to a massive data breach of customer data, a $16 million HIPAA settlement, and several other legal actions and investigations that concluded with a record $115 million consolidated settlement.

That’s a lot of trouble DivvyCloud could have helped Anthem avoid.  DivvyCloud helps customers adhere to industry and regulatory standards including in areas like IAM.  For example, ensuring robust password policies including multi-factor authentication. Our out-of-the-box HIPAA compliance pack has mapped the entire framework to the major cloud service providers to keep your cloud infrastructure in compliance.

 

The Golden Rule

Going back to how it is easy for people to make poor choices, this often occurs by over granting privileges to cloud resources.  For good security, the golden rule is that when you create IAM policies you should only grant the least privilege—that is, grant only the permissions required to perform a task.  

Of course, to do this, you need to first determine what users need to do and then craft policies for them that let the users perform only those tasks.  Another approach is to start with a minimum set of permissions and grant additional permissions as necessary. This sounds great, but in practice, this is actually hard to do and time-consuming.  

What actually happens is that a developer will start with permissions that are too lenient.  Sometimes this is due to a lack of understanding or sometimes they intend this to be temporary but then get distracted and forget to later return and tighten the permissions.  In either case, they might write a policy that looks like this:

While this policy may certainly solve any access issues a user or application may be facing, they expose the account to an extraordinary amount of unnecessary risk. Additionally, policies like this are difficult to find and remove later, quickly becoming lost in the console among hundreds of other policies, nested in tabs that may never be visited again.

This is an example of why DivvyCloud has a big IAM focus. DivvyCloud’s real-time alerting enables customers to open a ticket using their ticketing system (Jira, ServiceNow, PagerDuty, etc.) based on any problems inside of the platform. Tickets are automatically created when problems are identified by Bots. This sends the issue directly to your IT team’s ticketing queue for remediation.  Anthem would have benefited from our automated reporting and remediation tools by being ensured they had minimum access controls, automated enterprise-wide security risk assessments, regular reports of information system activity, and the ability to continuously identify and remediate suspected or known security incidents.

Interested in learning more? Get your free trial of DivvyCloud or speak with a DivvyCloud expert today!


DivvyCloud mitigates security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes).  First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

Feature Release: 18.6 – Event Driven Harvesting, New Compliance Packs, & More

 

We are introducing some fantastic new capabilities in this release including event driven harvesting (“EBH”), three new compliance packs, and increased support for Amazon Web Services, Microsoft Azure, and Google Cloud Platform.  Our latest release also includes more than 130 new filters, actions, and general enhancements. Event Driven Harvesting is really exciting as it improves detection and remediation times, as well as provides additional auditable data and context for lifecycle actions and changes to cloud resource and security confirmations.

Twice a quarter DivvyCloud releases a new version of our software, and we are excited to announce our sixth release of 2018! Collaboration with our customers and the broader “cloud” community help shape these releases with improvements to core capabilities around discovery, analysis and automated remediation of cloud infrastructure as well as new features and support for the ever-expanding portfolio of services from the major cloud providers.

Highlights:


 

1. EVENT DRIVEN HARVESTING (BETA)
In this release, we introduce event driven harvesting for AWS resources.  Before this release we exclusively used an API driven polling based approach to discover resources and monitor their configuration relative to policies.  With the addition of event driven harvesting, we now offer a best in class dual layer approach for discovering and monitoring resources. Harvesting can now be triggered based upon events in your cloud as opposed to solely relying on a polling based approach. This dual layer approach provides the best of both worlds – the full immutable discoverability of API harvesting with the speed and richness of event driven harvesting.    At present, this capability is only available for AWS accounts through the use of AWS CloudWatch, but we will be expanding event driven harvesting to Azure, GCP, and Kubernetes in the coming releases. For AWS customers using CloudWatch we help them get the most out of this great service — DivvyCloud now makes CloudWatch events more accessible and actionable — especially in complex environments with a large number of AWS accounts.   Currently, event driven harvesting supports the following AWS resources:

Three Main Benefits of Event Driven Harvesting:

  • Fast Identification & Remediation of Issues with Key Resources – Faster identification, and reaction/remediation to change. In AWS, CloudWatch will identify changes within 90 seconds for key resources  allowing DivvyCloud to collect the information from this event stream. This approach speeds up the ability for us to identify a change, evaluate it against policy, and then take action to remediate policy violations.

  • Specific Data About Any Changes – Event driven harvesting provides rich contextual information and full visibility into who did what, where, and when.  For example, in the image above, in row 4 under “Action” you can see someone created an S3 Bucket. In row 5 you can see someone added tags to a bucket. In row 6 someone put an access control list on a bucket.  You can also see the time under “Date,” as well as the IP address under “Source IP.” This gives you the ability to see that John Smith created an S3 bucket at 11:19 am at a coffee shop in Asheville.

           If you click on the box all the way on the left, you get the exact change that happened with Amazon.

You can view the action, if it was an API change or if it was the console.  You get the user, so if you look at the highlighted word, you’ll see someone was using “root” which is a big “no no.” If root wasn’t being used, you might see “User/ Employee name.” Again, you get all of the exact information about the change.

  • Audit Global Changes Via Event Stream – Consider the above Cloud Event View and imagine you have 300+ accounts.  Using DivvyCloud badges you could say “show me all production changes,” and then across all 75 accounts that are badge production, you get your full, uniform feed of all production changes. Or you can filter the event stream using DivvyCloud Badges to cut the data by project, severity, owner, compliance requirements, etc.  With Native Amazon capabilities, you have to view this data account to account, region by region, vs. DivvyCloud’s new global view of all changes. Our badges give users that layer of fidelity that is vitally important when managing your cloud accounts.

 

2. New Compliance Packs

  • CSA CCM
    The Cloud Security Alliance maintains an industry standard matrix known as the Cloud Compliance Matrix (CCM). This framework contains controls to harden and secure cloud technology and aligns them against other security regimes such as NIST‐800.53, HIPAA and ISO 27001. With 18.6, this compliance standard is now supported within the product.
  • CIS Benchmarks for GCP
    In early September, the Center for Internet Security (CIS) published a new benchmark for security cloud workloads on Google Cloud Platform (GCP). This benchmark contains dozens of security recommendations across Identity & Access Management, Logging/Monitoring, Networking, Storage, Compute and Kubernetes.
  • CIS Benchmarks for Azure
    With release 18.5, we first introduced support for the CIS Benchmarks for Azure, and with 18.6 we’ve added over 25 new Insights and checks against this compliance framework.

 

3. Cloud Compliance (Cloud Account Health Check)
The *New* Cloud Compliance view enables users to get quick visibility into how each cloud account stands relative to one or more compliance frameworks. It provides a top-level view into the number of failed checks based on the selected compliance pack criteria. Badges can be leveraged to tailor the view to specific risk profiles, environments, owners and more.   

This compliance module, in the context of HIPAA for AWS, shows that you are failing 13 of 25 checks.  Why this is great, for example, is you can see how you are doing in your production accounts or the accounts owned by Jay. You can also take badges, and compare Jun Park’s account to Jay’s clouds.  This spread out over hundreds of cloud accounts is going to make it quick and easy to see how you’re trending for this compliance pack. If you put DivvyCloud in place and your risk is terrible across your production clouds, what you want to see over time because you’ve been using insights and bots, is your risk going down and making everything more secure.  

 

4. Filters Library
Filters are one of the key ingredients in how we manage insights and bots. With the 18.6 release, users will now have access to an exhaustive list of all (~600) filters employed in our system. This will be the one-stop location to check when a filter was created, modified, or deprecated. For those who want to see how the filter functions, this page will also let users open and see the source code of the filter definition.

 

5. Additional Cloud Support/Enhancements

    • Amazon Web Services
      • Support for Simple Notification Service (SNS)
      • Support for Simple Email
      • Service (SES) Support for CloudFront
      • Support for visibility into GuardDuty
      • Support for visibility into Lambda account limits
      • Store the boolean property for automatic minor upgrades for RDS instances Store and surface the VPC ID that’s associated with an
      • ElastiCache cluster
      • Support for harvesting of IAM SAML providers
      • Ability to view and modify IAM Role assume role policies
      • Visibility into cross-account private images
    • Google Cloud Platform
      • Support for Pub/Sub
      • Support for Service Account Keys
      • Support for tracking VPC flow logging and Google Private Access at the subnet level
      • Support for identifying legacy networks
      • Enhanced GKE visibility and configuration checks
      • Enhanced visibility into GCP Storage buckets
    • Microsoft Azure
      • Support for Azure Kubernetes Service (AKS)
      • Support for Cosmos DB
      • Support for Graph RBAC
      • Support for Databases
      • Support for Network Peers
      • Visibility into network limits/usage

Interested in learning more? View the full release notes associated with our 18.6 release, or get your free trial and see our features in action.



DivvyCloud mitigates security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes).  First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

 

FitMetrix Leaks Customer Data

Much like death and taxes, the inevitable has happened, another company has exposed its customer data.  Who’s the culprit this week? FitMetrix, a fitness technology and performance tracking company owned by gym booking giant Mindbody.

According to TechCrunch, last week, three FitMetrix servers were found by a security researcher to be leaking customer data. How long the servers remained exposed is unknown, but in September, the servers were indexed by Shodan, a search engine for open ports and databases.

The servers included two of the same ElasticSearch instances and a storage server — all hosted on Amazon Web Service — yet none were protected by a password, allowing anyone who knew where to look to access the data on millions of users.

What data was exposed?

More than 113.5 million records (though it remains unclear how many users were affected). “Each record contained a user’s name, gender, email address, phone numbers, profile photos, their primary workout location, emergency contacts and more.”

Out of the box, DivvyCloud’s software would have detected this misconfigured instance and automated the remediation to close this vulnerability in real-time.

Like so many AWS, GCP, Azure, and Alibaba cloud services, AWS ElasticSearch Service is an incredibly powerful and useful service. It is also very challenging for IT professionals, developers, and engineers to consistently configure these powerful services in a way that mitigates security and compliance risk.

First, it is a daunting task to learn about how to configure ever-evolving cloud services correctly — it is like drinking from a firehose. Second, it is even more daunting to know how to do this relative to the security standards (e.g., CIS Benchmark or NIST CSF) and regulatory frameworks (e.g., PCI DSS or HIPAA) that a company chooses to or must comply with. And lastly, it is difficult for any one person or group of people to achieve 100% consistency in applying these standards at the speed and throughput that we ask our tech teams to operate.

DivvyCloud solves these challenges for customers like General Electric, Discovery Communications, and Fannie Mae using cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes). First, our software performs real-time, continuous discovery of cloud and container infrastructure allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

In a nutshell, we mitigate security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud and container infrastructure.

Interested in learning more? Get your free trial of DivvyCloud or speak with a DivvyCloud expert today!

Kubedex’s Comparison of Google GKE vs Microsoft AKS vs Amazon EKS

Kubedex, a top destination to discover, compare and share Kubernetes Applications, recently shared an interesting, and self-described “brutal” article comparing cloud-hosted Kubernetes providers.

A screenshot of the Google sheet comparing GKE, AKS, and EKS.

True to his promise of a “brutal comparison,” the author was unsparing in his criticism of Microsoft AKS – “if the company I’m working for decided to migrate to Azure I’d find a new job.”

Kubedex’s final recommendation?  “Go with Google GKE whenever possible. If you’re already on AWS then trial EKS but it doesn’t really give you that much currently. You may be better off looking at Kops or some other cloud installer until they add managed workers and other integrations.”

We found this particularly interesting because in July Google introduced commercial Kubernetes applications in their GCP Marketplace and DivvyCloud was proud to be included as a launch partner.

That made it even easier for customers to deploy DivvyCloud to mitigate security and compliance risk while embracing the dynamic, self-service nature of Kubernetes. Now our customers can govern their container environments running on AWS Elastic Kubernetes Service (EKS), Google Kubernetes Engine (GKE), and Microsoft Azure Kubernetes Service (AKS).  They use DivvyCloud to monitor, apply policy, and take action on six resource types: Containers, Pods, Ingress, Node, Deployments, and Services. For the first time, customers can gain a holistic view of their cloud container infrastructure and apply policies across all the related and support elements (e.g., IAM and underlying or related cloud infrastructure).

Whether you agree with the author’s opinions or not, DivvyCloud’s software covers all three cloud-hosted Kubernetes providers and enables organizations to achieve continuous security governance of their container infrastructure.  Interested in learning more? Get your free trial of DivvyCloud or speak with a DivvyCloud expert today!

If interested in learning about creating a Kubernetes security strategy, check out our white paper “A Holistic Approach to Securing Kubernetes that Integrates Culture and Technology.”


DivvyCloud mitigates security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes).  First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

Ensuring Continuous Security and Compliance in Your Cloud Environments

How do you ensure continuous security and compliance in your cloud and container environments?  Invest in cloud operations. This is the best way to ensure that your organization is consistently and continually mitigating this risk.  Cloud operations, or “CloudOps”, is the combination of people, processes, and tools that allow for organizations to consistently manage and govern cloud services at scale. Key to this is hiring and developing the right people, identifying processes that address the unique operational challenges of cloud services, and the automation of these processes with the right tools.  

One vital tool in your CloudOps toolkit should be software that provides centralized visibility of configuration choices, real-time evaluation of these choices against security policies, and automated remediation when a policy is violated.  DivvyCloud is exactly this kind of tool and our software is used by customers such as Discovery, Twilio, General Electric, Kroger, Fannie Mae, Turner, and Autodesk to achieve continuous security for their public cloud and container environments. We are natively multi-cloud, extensible, automate remediation to protect and mitigate real-time risks, and provide over 165 out-of-the-box policies for a quick start to fully secure your cloud.  

Below are 5 examples of these out-of-the-box policies, why they’re important, and which standards and directives they map to:

  • Storage Container Exposing Access To World
    Global API Accounting Config records API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the specific cloud service. Global API Accounting provides a history of API calls for each account, including API calls made via the management console, SDKs, command line tools, and other cloud services. Maps to Security Standards:
    • NIST Cyber Security Framework (CSF): ID.RA-1
    • NIST 800-53: SC-7
  • Instance With a Public IP Exposing SSH
    Security groups provide stateful filtering of ingress/egress network traffic to cloud resources. It is recommended that no security group allows unrestricted ingress access to port 22. Maps to Security Standards:
    • Center for Internet Security (CIS): Networking 4.1
    • NIST Cyber Security Framework (CSF): ID.RA-1
    • NIST 800-53: CM-7
  • Cloud Account Without Root Account MFA Protection
    The root account is the most privileged user in a cloud account. MFA adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to the cloud account, (s)he will be prompted for username and password as well as for an authentication code from an AWS MFA device. Note: When virtual MFA is used for root accounts, it is recommended that the device used is NOT a personal device, but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independently of any individual personal devices. (“non-personal virtual MFA”) This lessens the risks of losing access to the MFA due to device loss, device trade-in or if the individual owning the device is no longer employed at the company Maps to Security Standards:
    • Center for Internet Security (CIS): Identity & Access Management 1.13
    • NIST Cyber Security Framework (CSF): DE.CM-3
    • NIST 800-53: PM-11
  • Access List Exposes SSH to World (Security Group)
    Access Lists (Security Groups) provide stateful filtering of ingress/egress network traffic to cloud resources. It is recommended that no security group allows unrestricted ingress access to port 22. Maps to Security Standards:
    • Center for Internet Security (CIS): Networking 4.1
    • NIST Cyber Security Framework (CSF): ID.RA-1
    • NIST 800-53: AC-17
    • CSA Cloud Controls Matrix (CCM): GRM-01
  • Access List Exposes Windows RDP to World (Security Group)
    Access Lists (Security Groups) provide stateful filtering of ingress/egress network traffic to cloud resources. It is recommended that no security group allows unrestricted ingress access to port 3389. Maps to Security Standards:
    • Center for Internet Security (CIS): Networking 4.2
    • NIST Cyber Security Framework (CSF): ID.RA-1
    • NIST 800-53: AC-17
    • CSA Cloud Controls Matrix (CCM): GRM-01

These are just some of the many multi-cloud policies that we can help you monitor and remediate.  Click here, if you’re interested in learning about others, as well as the top security risks that DivvyCloud protects you from. Or if you’d like us to explain, contact us and let’s have a conversation.


DivvyCloud mitigates security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes).  First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

Join DivvyCloud at the Microsoft Ignite | September 24-28 [Booth #240]

Join DivvyCloud at Microsoft Ignite 2018 and answer the question we are asking all attendees: “Where do you need guardrails?”

DivvyCloud mitigates risk by providing virtual guardrails for security, compliance, and governance to customers embracing the self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (Azure, AWS, GCP, Alibaba, and Kubernetes).  

Microsoft Ignite is a great place for us to meet interesting people like you who are doing amazing things with Microsoft Azure.  We’d love to learn more about your Azure goals, plans, and challenges, and share our vision of how automation can make it a lot easier to securely operate Azure environments.  

Have questions about security and compliance in Azure?  Schedule a time to speak with our Azure experts at booth #240 on September 24th-28th to get the answers.  

If you haven’t attended before, Microsoft Ignite is designed to bring together the cloud computing community to connect, collaborate, and learn about Azure. Check out the sessions we recommend to further your Azure security and compliance knowledge:

  1. Azure Kubernetes Service and containers with Brendan Burns
  2. Microsoft security: How the cloud helps us all be more secure
  3. Secure your resources in Azure with Azure Security Center

The DivvyCloud Azure Advantage: Customers with Microsoft Azure (and other cloud technologies) can leverage a single management platform for event-driven, self-healing cloud infrastructure.

Consistent Policy Enforcement: DivvyCloud automation Bot’s work within our unified data model and therefore can enforce security, cost, and performance policies consistently across different Azure deployments (as well as other clouds).

Multi-Cloud Taxonomy: Organize assets in new ways by leveraging DivvyCloud resource groups with auto-curation capabilities. Resource groups are a many-to-many relationship that can contain resources from multiple Azure subscriptions and any other supported cloud technology such as AWS, VMware or OpenStack. They enable IT and stakeholders to better organize and delegate permissions to cloud and application resources.

Unified Experience: Reduce the complexities and barriers to entry when switching users between Microsoft Azure and other popular cloud technologies such as Amazon Web Services and Google Compute Engine. Our unified experience does the heavy lifting for stakeholders. With DivvyCloud all clouds look and feel the same making it easier for end-users to focus the compute, storage and networking resources they require.

Scheduled Instances: There’s a great deal of waste with resources running on a 24x7x365 basis. Oftentimes, development, QA, and staging compute instances are required only during business hours and/or can be suspended entirely during the weekend/holidays. Using DivvyCloud’s Scheduled Instances Bot, customers can define custom stop/start schedules that can cut dramatically down their monthly bills. By coupling the feature with resource groups, we can easily define different schedules for production, development, or specific project teams as needed.

Provisioning Templates: Reduce the steps required for users to provision the compute power they need for their day-to-day tasks. Provisioning templates provide point-and-click access to compute instances and can be shared amongst users in the organization. Template authors can define optional overrides as well, allowing the user to personalize a standard template while remaining in compliance.

Instance Auditing: Identify and even prevent end-users from spinning up excess compute capacity by defining blacklisted instance types. Custom policies can be enforced per Azure subscription making it easy for administrators to keep a handle on cloud cost across their cloud environments.

Disparate Resource Notification: Too often end-users mistakenly provision in regions that aren’t used for your product/service. You can now easily prevent this resulting not only in cost reduction but bolstering corporate security posture by eliminating unknown entry points into the cloud.

Secure Cloud Storage with Proper Configuration

An organization that has transitioned to a cloud provider such as Amazon Web Services, Microsoft Azure, Google Cloud Platform, or any combination thereof should immediately be thinking about the configuration of cloud services as a key element to security.

Many IT leaders and professionals make the mistake of approaching security in the cloud the same way they approached security in a traditional data center. However, in the software-defined world of public cloud, there is an added wrinkle.  Without a holistic approach to security which includes a view of configuration, you can easily open yourself up to undue risk. Configuration is an additional challenge when dealing with software-defined infrastructure in the public cloud. This is especially of concern when empowering developers and engineers with self-service for provisioning and configuration, who may not be familiar with security and having to deal with the rate of change in the cloud.  Because cloud technology is always changing, it’s vitally important that we understand the configuration choices being made. Validating those configuration choices against security standards becomes far more important for most companies now than in the past because failing to do so, for example, in storage containers, can lead to the company data breaches that we continuously hear about in the news.

Storing remotely versus locally offers huge advantages to both consumers and businesses, however, storage container breaches are a constant in the news these days. Too many companies (Fed Ex, Alteryx, National Credit Federation, Verizon, Australian Broadcasting Corporation, Dow Jones, Deep Root Analytics, Robocent, Macy’s, Adidas, GoDaddy, SpyFone, etc.) in the last year alone, have exposed sensitive, personal information for hundreds of millions of people from around the world. This epidemic has seen the theft or loss of more than 9 billion data records in the last five years.   

How are these attackers able to breach company storage containers?
Often times the storage container configuration is incorrect. The created container permissions may have been too broad which allows anyone to access the data. Again, these containers may have been serviced by people who aren’t familiar with security, thus the developer who created the container was unaware of how to properly secure it, or it was something as simple as an oversight.  For example, let’s say a developer was troubleshooting an issue that was causing an application to fail and suspected the storage container access was to blame. The developer may have tweaked the storage container configuration leaving it open to the public, and as the application began working again, moved on to another project. Now that company has an exposed storage container. It may not have even been the developer’s fault as someone else may have altered the container’s configurations at a later date for any number of reasons. So many organizations are made vulnerable because a lot of them don’t have processes that prevent insecure software deployments.

How do organizations avoid exposing their storage containers?
For starters, you could do nothing. Amazon S3 buckets, for example, are private by default and can only be accessed by users that have been explicitly given access. Again, by default, the account owner and the resource creator are the only ones who have access to an S3 bucket and key, so someone has to actively misconfigure an S3 to expose the data.  

Image Source

Amazon has been actively working to help companies avoid breaches caused by misconfiguration.  In November 2017 AWS added number of new Amazon S3 features to augment data protection and simplify compliance.  For example, they made it easier to ensure encryption of all new objects and monitor and report on their encryption status.  They have also provided guidance on approaches to combat this issue, like the use of AWS Config to monitor for and respond to S3 buckets allowing public access.

As a most basic first step to avoiding S3 bucket leaks, take advantage of the native AWS capabilities.  Ensure that you are always purposefully using AWS S3 access policies to define who can access the objects stored within. Ensure your team is well trained to never open access to the public, unless absolutely necessary, as doing so can result in the exposure of PII and other sensitive data. And help prevent unauthorized access to your data by taking advantage of capabilities like AWS Config.  

The challenge is that many organizations struggle to adopt and enforce best practices consistently, and only 100% consistency can ensure protection against a breach.  This is why an investment in cloud operations is a vital additional step.

How does DivvyCloud help customers fix the problem?
DivvyCloud’s customers leverage bot automation to remove the public permissions from the access control list where necessary.  Customers can also leverage bucket policies in place of access control lists for the finer-grained access control. DivvyCloud’s bot automation prevents data breaches by finding, alerting, and remediating misconfigured storage containers way before vulnerabilities are exposed.

It’s important to highlight one of the things DivvyCloud does well, is not only to flag the problem in real-time but to give customers an exact pointer to where the problem is. If somebody were to tell you “there is an open S3 bucket” but didn’t narrow down to a granular level, where would you start?  This is why DivvyCloud doesn’t simply alert that there is an open S3 Bucket, we take action and inform the customer to exactly which bucket in which account.

In the end, the way to avoid exposing data in cloud storage containers is really common sense: Don’t ever configure the storage containers to be exposed to the public. Organizations need to learn about security configurations while evaluating their public cloud options or pay someone else like DivvyCloud, to do it for them. Otherwise, it’s only a matter of time before they join the 12 aforementioned organizations in the growing list of those who have to explain to their customers that their information has been compromised.

Install DivvyCloud today with a  free 30-day trial and make these storage container misconfigurations a thing of the past (now and forever).



DivvyCloud mitigates security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes).  First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

 

DivvyCloud’s CSA Cloud Controls Matrix (CCM) Insight Pack

DivvyCloud is proud to announce that we have just released the Cloud Security Alliance Cloud Controls Matrix (CSA CCM) as a new insights pack.

What is CSA CCM?
Cloud native frameworks such as the CSA CCM allow companies to embrace the many benefits of the public cloud without opening up a Pandora’s box of risk. The CSA CCM provides organizations with the needed structure, detail, and clarity relating to information security tailored to the cloud industry, and has become the generally agreed upon standard of US-based financial services companies on how they will govern their use of the cloud.   Many financial institutions use the CSA CCM because it encompasses multiple security frameworks across multiple organizations and allows them to look at their legacy frameworks and determine which portions are covered.

DivvyCloud has taken this framework of cloud-specific controls and implemented it as one of our Insight Packs.  This operationalizes the controls, allowing DivvyCloud customers immediate, and continued visibility into policy violations and automated remediation of those violations.

The CSA CCM strengthens existing information security control environments in a number of ways:

  • It emphasizes business information security control requirements;
  • It reduces and identifies consistent security threats and vulnerabilities in the cloud;
  • It provides standardized security and operational risk management;
  • It seeks to normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud.

Dive Into DivvyCloud’s CSA CCM Insight
CSA CCM has directives AIS-04, BCR-07, BCR-10, BCR-11, IAM-01, IAM-12, IVS-01, and IVS-03.  All of these require that you have Global API Accounting Configured so that it records API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the specific cloud service. Global API Accounting provides a history of API calls for each account, including API calls made via the management console, SDKs, command line tools, and other cloud services.  Without this, you are in violation of CSA CCM. With DivvyCloud our “Cloud Account Without Global API Accounting Config” Insight will identify when this is violated and customers can build an automation to remediate. For example, in AWS, this would mean DivvyCloud would use the API write credentials to turn on AWS CloudTrail for the resource in question.

Interested in learning more? Get your free trial of DivvyCloud and see the CSA CCM Insight Pack in action.



DivvyCloud mitigates security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes).  First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

Yet Another S3 Bucket Leak … SpyFone’s Data Exposed!

News broke last week that sensitive data was exposed yet again. I hope you haven’t forgotten our running analogy, “we are living in the cybersecurity version of the movie Groundhog Day.”  It seems like every day we are reliving the same problem, the same leak over and over again. If you are reading this thinking “yes, you’ve used that analogy way too many times,” then I hope you understand that’s kind of the point.

Nevertheless, it’s time to add another company to the list of S3 bucket leaks that have exposed sensitive, personal information for hundreds of millions of people from around the world.

So what happened this time?

SpyFone, whose website hero header reads “Monitor Your Children with World’s #1 Parental Monitoring Software – Trusted by Parents Worldwide” left the data of thousands of its customers—and the information of the children they were monitoring—exposed in an unprotected Amazon S3 bucket.

According to Motherboard:

The data exposed included selfies, text messages, audio recordings, contacts, location, hashed passwords and logins, Facebook messages, and more.

 

A security researcher found the data on an Amazon S3 bucket owned by SpyFone, and Motherboard was able to verify that the researcher had access to SpyFone’s monitored devices’ data by creating a trial account, installing the spyware on a phone, and taking some pictures. Hours later, the researcher sent back one of those pictures.

 

The researcher said that the exposed data contained several terabytes of “unencrypted camera photos.

SpyFone’s tagline in the features section of their website reads: “Get peace of mind while monitoring your children’s activity online.”  If not for the security researcher finding the exposed data first, it may not have been only the parents who were monitoring their children’s selfies, text messages, calls, location, etc. The risk of companies exposing personal data is very high, and at times, even dangerous.

What could SpyFone have done differently?

For starters, SpyFone could have done nothing. Amazon S3 buckets are private by default and can only be accessed by users that have been explicitly given access. Again, by default, the account owner and the resource creator are the only ones who have access to an S3 bucket and key.

SpyFone could have also installed DivvyCloud.

In about 15 minutes, you can install DivvyCloud, connect your cloud (AWS, Azure, and GCP) accounts, quickly see S3 buckets that are misconfigured, and then turn on real-time continuous automated remediation of misconfigured buckets.

Make S3 bucket leaks a thing of the past (now and forever). Install DivvyCloud today with a  free 30-day trial and make sure your company never makes the news for an S3 bucket leak.


DivvyCloud mitigates security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes).  First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

 

Why is Cloud Computing a Top Risk for Enterprise Executives?

As of Q2 in 2018, cloud computing remains the top risk concern for enterprise executives surveyed by Gartner.  Every quarter, Gartner surveys risk, audit, and compliance executives for information about impending threats to their enterprises.  Here are the survey results:

According to Gartner’s survey, it seems data breaches in the cloud are the number one concern of enterprise executives.

Why do executives feel the risk is so high? The Cultural change. This new self-service access to a broader set of individuals that comes along with cloud computing is what drives the risk. In general, that the speed of change means people haven’t had time to update their skill sets and don’t know what they are doing.  These are problems that are minimized in an old-school data center environment, yet old-school data centers don’t provide the flexibility, scalability, agility, rapid innovation, etc. that cloud does.

But is cloud computing really any less secure than maintaining your own hardware? The simple answer is that cloud computing is generally more secure if and when managed properly. Risks exist whether IT is managed in-house or virtually. As long as IT departments use a high-security standard at the forefront of their cloud strategy, just as they would for applications, platforms, and infrastructure deployed in-house, then the utilization of shared services in the cloud will successfully yield those major management benefits that old-school data centers don’t.

Another Day, Another S3 Bucket Leak … GoDaddy’s Data Exposed!

News broke this week that sensitive data was exposed yet again. Remember our running analogy, “we are living in the cybersecurity version of the movie Groundhog Day?”  It feels like the same day, the same problem, the same leak over and over again. Too often now we hear about S3 bucket leaks (Fed Ex, Alteryx, National Credit Federation, Verizon, Australian Broadcasting Corporation, Dow Jones, Deep Root Analytics, Robocent, Macy’s, Adidas, etc.)  that have exposed sensitive, personal information for hundreds of millions of people from around the world. This epidemic has seen the theft or loss of more than 9 billion data records in the last five years.  

So what happened this time?

GoDaddy, one of the world’s top domain name registrars with over 18 million customers, was discovered to have files containing detailed server information, stored in an unsecured S3 bucket. According to the report from cybersecurity firm Upguard, the exposed documents include high-level configuration information for tens of thousands of systems and pricing options for running those systems in Amazon AWS, including the discounts offered under different scenarios.  

Mallory Locklear, Engadget, reported that UpGuard notified GoDaddy of the discovery shortly after uncovering the exposed storage bucket, but GoDaddy didn’t secure the information for over five weeks. In that time, when checking up on the progress of his report, it was said that it’s typical for there to be a delay following security reports such as this one.

It seems in this instance that Amazon itself was the cause of the exposure. “The bucket in question was created by an AWS salesperson to store prospective AWS pricing scenarios while working with a customer,” an AWS spokesperson told Engadget. “No GoDaddy customer information was in the bucket that was exposed. While Amazon S3 is secure by default and bucket access is locked down to just the account owner and root administrator under default configurations, the salesperson did not follow AWS best practices with this particular bucket.”

Even though GoDaddy’s publicly exposed S3 bucket seems to be the fault of their cloud provider, there are still potential risks, for example, did anyone else access their information outside of UpGuard in the five+ weeks their S3 bucket remained exposed?

“One could arguably say that GoDaddy hosts a fifth of the internet,” UpGuard reported. “And a successful attack on its systems could potentially disrupt global internet traffic.”

In the movie Groundhog Day, Bill Murray is trapped in a time loop, where escape is only possible after accumulating knowledge through multiple passes.  Companies should have plenty of knowledge on S3 bucket leaks now, so instead of waiting 34 years (estimated amount of time Murray spent in the Groundhog Day time loop), organizations should invest in learning from their peer’s mistakes and immediately put cloud security into the forefront of development plans.

You can stop S3 bucket leaks today with one easy step: install DivvyCloud.

In about 15 minutes, you can install DivvyCloud, connect your cloud (AWS, Azure, and GCP) accounts, quickly see S3 buckets that are misconfigured, and then turn on real-time continuous automated remediation of misconfigured buckets.

Make S3 bucket leaks a thing of the past (now and forever). Install DivvyCloud today with a  free 30-day trial and make sure your company never makes the news for an S3 bucket leak.

DivvyCloud mitigates security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes).  First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

Feature Release: 18.5 – Kubernetes, Cost Visibility, GCP, & More

 

Twice a quarter DivvyCloud releases new product features, and we are excited to announce our fifth feature release of 2018! Collaboration with our customers and the community help shape these releases across all the pillars of our product: discovery, analysis, and automated action.

With this release, we now deliver continuous security and compliance to container environments in addition to public clouds. We also expanded support to include more services in AWS and GCP, and to increase the ability to apply policy to Identity & Access Management with a particular focus on GCP.   Some highlights include:

  • Support for Kubernetes:  DivvyCloud now supports AWS Elastic Kubernetes Service (EKS), Google Kubernetes Engine (GKE), Microsoft Azure Kubernetes Service (AKS).  You can now monitor, apply policy and take action on six resource types: Containers, Pods, Ingress, Node, Deployments, and Services.
  • Support for AWS Kinesis Firehose: DivvyCloud now helps you secure this real-time streaming data service in Amazon Web Services. Data security is top of mind for many customers and we help ensure that no matter where your data resides inside of AWS we can help you ensure that misconfigurations don’t create a risk of breach.  
  • Root Account Information: Securing your root credentials is a vital piece of cloud security and compliance.
  • Cloud Service Cost Coverage: You can now build insights that identify risk of runaway spending and allow you to take action to prevent it.  

Below we dive more deeply into these five highlights from our latest release:


 

  • Support for Kuberenetes DivvyCloud has expanded support to containers, and specifically Kubernetes.  With the latest version of DivvyCloud, you can now govern container environments running on AWS Elastic Kubernetes Service (EKS), Google Kubernetes Engine (GKE), Microsoft Azure Kubernetes Service (AKS).  You can use DivvyCloud to monitor, apply policy, and take action on six resource types: Containers, Pods, Ingress, Node, Deployments, and Services. For the first time, customers can gain a holistic view of their cloud container infrastructure and apply policies across all the related and support elements (e.g., IAM and underlying or related cloud infrastructure.)

 

  • Support for Kinesis Firehose – Amazon Kinesis Firehose is a fully managed, elastic service that can capture streaming data, transform the data, and then send the data to Amazon Elasticsearch Service.  DivvyCloud monitors the configuration of two resource typesKinesis data stream and Firehose delivery stream.). We then provide the ability to compare configurations and configuration changes against the policies you have defined.  When we identify a policy violation you can automate the remediation of this violation. To apply granular controls, DivvyCloud users can locate specific data streams via filtering by numbers of shards, data retention period, and encryption status. Users can also filter delivery streams by their delivery type. Data security is top of mind for many customers and we help ensure that no matter where your data resides inside of AWS we can help you ensure that misconfigurations don’t create risk of breach.

 

  • Root Account Information:  DivvyCloud can gain visibility into customers’ credential report to figure out if the root account is actually being used.  Use of the root account in AWS is the biggest “no-no.” You’re never supposed to use it because it can effectively do everything in your account, and there is no attribution.  For example, say I give four team members root account access, and a day later I see in my logs that root just deleted 50 instances. Who deleted the instances and why? I don’t know, and now there’s a problem.  Now with the addition of the root account, administrators can quickly get visibility across all of their root accounts including the last time that the account was used, if it has two-factor and the count of active/inactive API credentials.  

 

  • Cloud Service Cost Coverage: DivvyCloud has added the ability to ingest your billing information from cloud providers.   This makes it easy to analyze your historical spend on one or more cloud services. But more importantly you can now use this data to drive action inside the DivvyCloud platform.  For example, you can then configure policies around cost and service tracking that alert when spending exceeds thresholds you have set. For example, many customers are concerned about developers experimenting with a new cloud service that may be extremely expensive. All too often, a well-intentioned person starts up a service to experiment, gets distracted, forgets about the service, and a month later a massive bill comes due.  These types of cost overruns are a nightmare scenario that we can now prevent. For example, you might configure a policy to alert if anyone in your organization spends more than $100 in a given period on Amazon Athena. This way you can proactively have visibility when developers start experimenting with new and novel cloud services that might run up the bill.

 

Interested in learning more? Click here to view the full release notes associated with our 18.5 release, or get your free trial and see our features in action.

DivvyCloud delivers comprehensive policy-driven security, compliance, and governance for cloud infrastructure (AWS, Azure, GCP, Alibaba Cloud, VMware, and OpenStack).  Our software performs real-time discovery of connected clouds, distills this data into actionable insights, and then makes it easy to configure policies that are automatically enforced across all clouds.  In essence, we provide virtual guardrails for security, compliance, and governance that help customers like GE, Discovery, and Fannie Mae go big and go fast in the public cloud, but still stay secure and compliant.

The Headache of Managing Cloud Spend

Many companies are failing to manage their cloud environment effectively, and are dealing with the daily headaches that come as a result. It’s become much easier to purchase new software or services, which means it’s even easier for spending to increase. Not effectively managing those expenditures can spin quickly into headache #1 – overspending.

A cloud fundamental is that you pay only for the computing power you use. If a company can plan usage or reserved instances then that will yield significant cost savings. However, most organizations lack the visibility to prepare for future needs accurately. Furthermore, companies are becoming more agile in the cloud. Development teams and business units can now gain immediate access to the resources they need through the push of a button. IT Directors live with a general fear that a developer will provision an expensive service that will create a $30,000 bill in a week and that they’ll only find out about it when it is too late.

In Azure, one of our developers was prototyping adding support for a service called Data Warehouse. He clicked a few buttons and launched it, went to lunch, came back and completely forgot about it. About a month later, our CFO looked at our bill and Slacked the team “who spent $5,000 last month on Microsoft Azure?” This happens to companies ALL the time. If DivvyCloud had the Cloud Service Cost Coverage feature when this incident occurred, we would have gotten an alert, and even though we don’t support Data Warehouse we would have seen the Data Warehouse charge. That charge may have gone from $0 to $100, but we would have identified the anomalous spend before it got out of control.

DivvyCloud gives you the right kind of data, to be able to make the right kind of decisions to take actions that protect you from cost overruns and waste.

DivvyCloud has added the ability to link a cloud account to your master so we can get the bill. When you look at your AWS, GCP, and Microsoft Azure bill, you’ll notice: 1) these bills are enormous—even the non-line item bills are 200 megabytes; and 2) they take all of these hourly and second charges then they bubble them up to a service: things like AWS Elastic Compute Cloud and AWS Support. DivvyCloud historically tracks that data and pulls it down once a day. Now you can quickly analyze your historical spend on one or more cloud services. You can then configure policies around cost and service tracking that alert when spending exceeds thresholds you have set. For example, “Alert me when EC2 spend exceeds $300 in the period, across all of my development accounts.”

This feature helps mitigate the risk mentioned above, that a developer will provision an expensive service that will create a $30,000 bill in a week, and that you’ll only find out about it when it is too late.

Interested in learning more? Get your free trial and see how our features will protect you from cost overruns and much more.

DivvyCloud delivers comprehensive policy-driven security, compliance, and governance for cloud infrastructure (AWS, Azure, GCP, Alibaba Cloud, VMware, and OpenStack). Our software performs real-time discovery of connected clouds, distills this data into actionable insights, and then makes it easy to configure policies that are automatically enforced across all clouds. In essence, we provide virtual guardrails for security, compliance, and governance that help customers like GE, Discovery, and Fannie Mae go big and go fast in the public cloud, but still stay secure and compliant.

Robocaller’s Leaky S3 Bucket Exposes Voter Information

News broke last week that sensitive data was yet again leaked… yeah, this is the same song we sing almost every week, but that’s kind of the point.  Our running analogy, “sometimes it feels like we are living in the cybersecurity version of the movie Groundhog Day,” becomes more apt with every passing day.

So what happened this time?

As reported by Zack Day, Security Editor for ZD Net, Robocent, a Virginia-based political campaign and robocalling company, left a massive batch of files containing hundreds of thousands of voter records on a public and exposed Amazon S3 bucket that anyone could access without a password.

Another misconfigured S3 bucket …

According to statistics from Bitdefender, as many as 7% of all S3 servers are entirely publicly accessible without any authentication, and 35% are unencrypted. If you dig through some of the recent leaks caused by poorly configured Amazon S3 resources, “these aren’t low-value data stores.”

Recent leaks caused by leaky S3 buckets:

These are just a few of the companies that have exposed sensitive, personal information for hundreds of millions of people from around the world.

This can change. You can stop S3 bucket leaks today with one easy step: install DivvyCloud.

In about 15 minutes, you can install DivvyCloud, connect your cloud (AWS, Azure, and GCP) accounts, quickly see S3 buckets that are misconfigured, and then turn on real-time continuous automated remediation of misconfigured buckets.

Make S3 bucket leaks a thing of the past (now and forever). Install DivvyCloud today with a  free 30-day trial and make sure your company never makes the news for an S3 bucket leak.


DivvyCloud mitigates security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes).  First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

DivvyCloud Partners with Google to Help Launch Commercial Kubernetes Marketplace

On Wednesday, July 18th, Google introduced commercial Kubernetes applications in their GCP Marketplace and DivvyCloud was proud to be included as a launch partner.  For the first time, commercial Kubernetes applications are available to deploy with one click to Google Kubernetes Engine with a usage-based pricing model. Commercial Kubernetes applications can be deployed on-premise or even on other public clouds through the Google Cloud Platform Marketplace.

GCP Marketplace is based on a multi-cloud and hybrid-first philosophy, focused on giving Google Cloud partners and enterprise customers flexibility without lock-in. It also helps customers innovate by easily adopting new technologies from ISV partners, such as commercial Kubernetes applications, and allows companies to oversee the full lifecycle of a solution, from discovery through management.

As part of Google’s launch, we launched our commercial Kubernetes application, available to all users through the Google Cloud Platform Marketplace. This makes it even easier for GCP customers to deploy DivvyCloud to mitigate security and compliance risk while embracing the dynamic, self-service nature of Google Cloud Platform, Google Kubernetes Engine, and Kubernetes.

Commercial Kubernetes applications available now


“To remain competitive and deliver on user demands, organizations adopting cloud need ready access to trusted, tested and portable applications that can run across their entire infrastructure. At Google Cloud we strive to make it as easy as possible for customers of all sizes to deploy, purchase and manage leading solutions in the cloud,” said Jennifer Lin, Director of Product Management Google Cloud. “The availability of commercial Kubernetes applications from providers like DivvyCloud is a critical part of extending enterprise investments and can simplify adoption of container-based infrastructure no matter what environment they operate in, either on-premise or in the public cloud.”

Customers exploring or using Kubernetes can easily access DivvyCloud on the marketplace, with rapid, same-day deployment. The Google Cloud Platform Marketplace makes it simple for customers to quickly deploy and manage the DivvyCloud solution, and to know when updates are available.  

Interested in learning more? Get your free trial of DivvyCloud or speak with a DivvyCloud expert today!

DivvyCloud software enables organizations to achieve their cloud and container goals by simplifying and automating security, compliance, and governance of infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes). DivvyCloud was founded by seasoned technologists who understand firsthand what is necessary to succeed in today’s fast-changing, multi-cloud world.

Hack In Business: Macy’s & Adidas Data Breach

Another week, another data breach.  In the last two weeks, news broke that both Adidas and Macy’s suffered data breaches.   

In a letter leaked to DataBreaches.net, Macy’s wrote to affected customers that “the attacker used valid user credentials (usernames and passwords) to login to some online profiles … we believe valid login credentials were stolen from another company and/or sourced from the dark web.”

Adidas came clean to its customers about their data breach, and although details at this time are scarce, what is known is that “an unauthorized party” breached Adidas’ server; managing to steal the contact details, usernames, and encrypted passwords of “a few million consumers.”

Back in February, I believe we said it best. “Sometimes it feels like we are living in the cybersecurity version of the movie Groundhog Day. Day after day, week after week, we hear about data breaches that have exposed sensitive, personal information for hundreds of millions of people from around the world.”

Let’s take a look at eight other retailers who have suffered data breaches in 2018:

  1. Sears – April
  2. Kmart – April
  3. Delta – April
  4. Saks 5th Avenue – April
  5. Best Buy – April
  6. Lord & Taylor – April
  7. Under Armour – March
  8. Panera Bread – April

We are living in a world where there are hundreds of thousands of people around the globe continuously (whose job it is even) trying to exploit vulnerabilities. Regardless of how the breach occurs, typically, it’s because of an approach to compliance that is manual and periodic rather than continuous. Inevitably, that creates a cycle of being in and out of compliance.  The problem is that even a brief lapse in compliance opens up a window that can and will be exploited. When you don’t achieve continuous compliance through monitoring and automated remediation, then it’s only a matter of time before you join the 10 retailers mentioned above in the growing list of companies who have to explain to their customers that their information has been compromised.

DivvyCloud wants to help!

In the cloud?  If so, get your free trial of DivvyCloud and explore how we can secure your entire cloud environment.

DivvyCloud mitigates security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes).  First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

DivvyCloud’s Microsoft Azure CIS Insight Pack

In March 2018, Microsoft published the CIS Microsoft Azure Foundations Security Benchmark. CIS Benchmarks are the recognized industry-standard for securely configuring traditional IT components.

DivvyCloud has taken this prescriptive guidance for establishing a secure baseline configuration for Microsoft Azure and implemented it as one of our Insight Packs.  DivvyCloud customers now have immediate, and continued visibility into the posture of their Azure environments against the Azure CIS benchmark, and can use Bots to automate the remediation of policy violations.

The Azure CIS benchmark’s purpose is to establish the foundation level of security for anyone adopting Microsoft Azure Cloud. Microsoft operates Azure using a shared responsibility model, similar to all public cloud providers. Per Microsoft, “shared responsibility in public cloud is related to the fact that you have a partner when you host resources on a public cloud service provider’s infrastructure. Who is responsible for what (regarding security) depends on the cloud service model you use (IaaS/PaaS/SaaS). With IaaS, the cloud service provider is responsible for the core infrastructure security, which includes storage, networking and compute (at least at the fabric level – the physical level).”  Microsoft has published the graphic below to illustrate how shared responsibility works across the cloud service models.

For a deeper dive into the shared responsibility model, check out Microsoft’s Shared Responsibilities for Cloud Computing paper.  This paper helps clarify to potential Azure customers where Azure’s implementation of security controls ends and begins, and where the customer’s responsibilities also begin and end (and this is where DivvyCloud’s Azure CIS Insight Pack comes in real handy).  

Interested in learning more? Get your free trial of DivvyCloud and see the Azure CIS Insight Pack in action.

DivvyCloud mitigates security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes).  First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

Learn how Kroger went from 0-60 with GCP and containers to become a digital leader in retail at Google Cloud Next ’18 | Wednesday, July 25th, 2:00 – 2:20 PM in the South Hall

DivvyCloud is a sponsor of Google Cloud Next ’18 and at the event we are hosting a Cloud Talk, featuring Kroger’s Chief Architect Bruce Maxfield.  The session is Wednesday, July 25th, 2:00 – 2:20 PM in the South Hall Cloud Talk space.  

Bruce and DivvyCloud COO Peter Scott will discuss how Kroger, America’s largest supermarket chain, is using GCP to revolutionize the customer experience. Kroger is using the cloud to create improved shopping experiences in the store and online. Bruce will discuss how GCP provides the flexibility and capabilities required by the Kroger application development teams, how Kroger has securely gone from 0-60 in its use of cloud with containerized applications, and where he sees Kroger heading next with GCP.  Sign up today for the talk.

After the talk, or anytime, make sure to visit us at booth #1606 in West Hall!   Schedule a time to speak with our GCP and Kubernetes security and compliance experts at our booth and get answers to your questions.  

We look forward to seeing you July 24–26, 2018 at the Moscone Center in San Francisco!  You can learn more about Google Cloud Next ’18 or register now.

Join DivvyCloud at the AWS Summit New York | July 16-17 [Booth #809 at The Expo]

DivvyCloud is a sponsor of AWS Summit New York 2018 and the question we are asking all attendees is “Where do you need guardrails?”

DivvyCloud mitigates risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes).  

The AWS Summit is a great place for us to meet interesting people like you who are doing amazing things with AWS.  We’d love to learn more about your AWS goals, plans, and challenges and share our vision of how automation can make it a lot easier to securely operate AWS environments.  

Make sure to visit The Expo and see us at booth 809!   Schedule a time to speak with our AWS security and compliance experts at our booth on July 17th and get answers to your questions.  

If you haven’t attended before, the AWS Summits are free events designed to bring together the cloud computing community to connect, collaborate, and learn about AWS.  Probably the biggest session of the two-day event is the 9:30 am – 11:30 am Keynote featuring Dr. Werner Vogels and Dr. Matt Wood on July 17th. Outside of the keynote, you can also attend technical sessions, workshops, chalk talks, participate in team challenges, and of course visit us at booth 809 in The Expo. We look forward to seeing you at the Javits Center!  You can learn more about AWS Summit New York 2018 or register for free.

Join DivvyCloud at Google Cloud Next ’18 | July 24–26 San Francisco [Booth #1606 in West Hall]

DivvyCloud is a sponsor of Google Cloud Next ’18 and the question we are asking all attendees is “Where do you need guardrails?”

DivvyCloud mitigates risk by providing virtual guardrails for security, compliance and governance to customers embracing the dynamic, self-service nature of public cloud and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (GCP, Kubernetes, AWS, Azure, and Alibaba).  

Google Cloud Next is a great place for us to meet interesting people, like you, who are doing amazing things with GCP and Kubernetes.  We’d love to learn more about your goals, plans, and challenges and share our vision of how automation can make it a lot easier to securely operate GCP and Kubernetes environments.  

Attend our Cloud Talk, featuring Kroger’s Chief Architect Bruce Maxfield as he discusses how Kroger, America’s largest supermarket chain, is using GCP to revolutionize the customer experience in the store and online. The session is Wednesday, July 25th, 2:00 – 2:20 PM in the South Hall Cloud Talk space.  

After the talk, or anytime, make sure to visit us at booth #1606 in West Hall!   Schedule a time to speak with our GCP and Kubernetes security and compliance experts at our booth and get answers to your questions.  

If you haven’t attended before, Next is a three day exhibition of inspiration, innovation, and education that brings together the entire community to learn from one another how the cloud can transform how we work and power everyone’s successes.  We are particularly excited for the 9:00am – 10:30am “Building a Cloud for Everyone” keynote on July 24th featuring Diane Greene, Urs Hölzle, Fei-Fei Li, and Prabhakar Raghavan. Outside of the keynote, you can also attend super sessions, breakout sessions, hands-ons labs, and of course visit us at booth booth #1606 in West Hall!

We look forward to seeing you July 24–26, 2018 at the Moscone Center in San Francisco!  You can learn more about Google Cloud Next ’18 or register now.

DivvyCloud CEO Interviewed on Federal News Radio

DivvyCloud CEO, Brian Johnson, was interviewed by Heather Quinn, Executive Leaders Radio, about how he came to be the executive leader he is today. The interview covers Johnson’s life between the ages of 9-14 and how that impacted his career later, with a deeper dive on his struggles with formal education and his belief that passion is a driving force for overcoming adversity.

While it’s not a panel discussion, there will be three other guests (listed below) alongside Brian telling their stories as well.

Other Guests:

  • Jodie Hughes, Regional President of BB&T Bank
  • Bruce McNamer, President, and CEO of Greater Washington Community Foundation www.cfncr.org
  • Kathleen Cannon, Managing Partner of Kelly Drye & Warren www.kellydrye.com

The segment will air locally on Sunday, July 8th, from 9-10am on WFED/1500AM and is simulcast on WWFD/820AM (www.federalnewsradio.com). It will also broadcast nationally on Saturday, July 15th, from 7-8am (EST) on Biz Talk Radio: www.biztalkradio.com and www.tunein.com (“Best of Executive Leaders Radio” is also broadcast on Sundays).

Exactis Exposed 340 Million Individual Consumer Records – DivvyCloud Would Have Prevented It

In early June, security researcher Vinny Troia discovered that Exactis, a data broker based in the United States, had inadvertently misconfigured an AWS ElasticSearch Service instance and in doing so had exposed approximately 340 million consumer records to the public. Out of the box, DivvyCloud’s software would have detected this misconfigured instance and automated the remediation to close this vulnerability in real-time.

Like so many AWS, GCP, Azure, and Alibaba cloud services, AWS ElasticSearch Service is an incredibly powerful and useful service. It is also very challenging for IT professionals, developers, and engineers to consistently configure these powerful services in a way that mitigates security and compliance risk.

First, it is a daunting task to learn about how to configure ever-evolving cloud services correctly — it is like drinking from a firehose. Second, it is even more daunting to know how to do this relative to the security standards (e.g., CIS Benchmark or NIST CSF) and regulatory frameworks (e.g., PCI DSS or HIPAA) that a company chooses to or must comply with. And lastly, it is difficult for any one person or group of people to achieve 100% consistency in applying these standards at the speed and throughput that we ask our tech teams to operate.

DivvyCloud solves these challenges for customers like General Electric, Discovery Communications, and Fannie Mae using cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes). First, our software performs real-time, continuous discovery of cloud and container infrastructure allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

In a nutshell, we mitigate security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud and container infrastructure.

Cost-Effective Cybersecurity Tips for Mid-Sized Enterprises

“Significantly more than half of all cyber attacks are directed at SMEs, and that number is steadily increasing.” – Chubb

Why don’t mid-sized enterprises protect themselves better?
The majority of cyber attacks we hear about, focus on big companies. Surveys have shown that many mid-sized enterprises believe they are too small to be “noticed.” However, as the quote from Chubb indicates, this stance does not jive with reality. Mid-sized organizations often don’t want to believe that it will take massive investments of capital and people to improve their cybersecurity posture. But here’s the thing, according to Jason Compton’s (Forbes Contributor) article, 5 Cybersecurity Measures Mid-Sized Businesses Need To Take Today you don’t need to “write a big check” to increase your organization’s security.

Compton suggests you put these five ideas to work:

  1. Be direct with employees about their responsibilities. “Employee education and awareness are some of the best investments in protection,” said Tyler Leet, director of risk and compliance services at CSI, developers of financial services infrastructure. “And you don’t have to invest tens of thousands of dollars in equipment to minimize employee mistakes.”
  2. Assess risk in a mature, priority-driven way. Instead of aiming for the impossible, focus your protection efforts on the assets that matter most to you — and those with the greatest appeal for attackers.
  3. Systematically tighten access controls. Coordinate your approach to authentication, so it makes sense and is consistent with modern cybersecurity theory.
  4. Stay informed of legal developments at the federal and state levels.
  5. Appoint a business-minded cybersecurity czar. It’s essential to have a leader who can translate cybersecurity strategy into the language of business risk and opportunity.

DivvyCloud aligns nicely with points 1-3 above and makes these points more accessible relative to security when running in AWS, Azure, GCP, or Alibaba Cloud. The self-service and dynamic nature of cloud infrastructure creates challenges for risk and compliance professionals who protect their organization with security and governance controls. Tools and controls that worked well for security and compliance in the traditional datacenter do not translate to the public cloud. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes).

First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

If interested in learning about how DivvyCloud can help you improve your security and compliance in the cloud, click here.

DivvyCloud Featured in Forbes Leadership Blog for “Beating the Odds”

Andrew Goldsmith’s (Forbes Contributor) article “3 Leadership Insights From A High-Tech Startup That Beat The Odds,” begins with the results of a study from the Information Technology and Innovation Foundation: “The Information Technology and Innovation Foundation found roughly 60% of tech firms die within 5 years.”

DivvyCloud, now in its 6th year has beaten the odds and shows no signs of slowing down. “It has developed software that lets businesses create “bot armies” to protect and optimize their IT cloud network infrastructure. Its base of corporate customers includes Discovery Communications, Fannie Mae, and GE, and is in expansion mode.”

Goldsmith interviewed the founders of DivvyCloud and came away with three significant insights for leaders facing similarly challenging environments:

1. Hire People Who Can Succeed In A Startup – And At A Fortune 100
“DivvyCloud needed people who could bridge both types of organizational cultures. For any leader trying to steer a company in a tough market the lesson is clear: you need people with high levels of passion and flexibility, not just relevant experience.”

2. Connect One-On-One
“What the founders learned was that as important as great technology is, it won’t tell your story. A big part of DivvyCloud’s success has been its ability to capture customers’ imagination in person when its leadership team meets with potential customers one-on-one.”

3. Listen And Pivot
“A single piece of negative feedback – and how leaders respond to it – can affect an organization’s success trajectory. DivvyCloud experienced this firsthand when a promising meeting, held when the company was just getting started, started to go south.” The COO politely let the DivvyCloud team know multiple companies were offering similar solutions, some 12-18 months ahead of DivvyCloud from an enterprise capabilities perspective. “This happens when you are an early-stage business. And many entrepreneurs would have said “thank you,” and called it a day. But the DivvyCloud team didn’t do that.” Instead, it shifted gears and eventually landed the deal.

Our Story
The year was 2009 and Electronic Arts (Nasdaq: EA), the $3.8B gaming company, was making a huge strategic bet by moving some of its products “into the Cloud.” The infrastructure team (including DivvyCloud founders Brian, Chris, and Andrew) were tasked with making this cloud vision a reality. They quickly found managing over 5,000 servers, in five different countries, with millions of paying subscribers in a hybrid-cloud environment to be an incredibly complex, time-consuming, and risky proposition. At the time, there were simply no tools to provide a consolidated view and automation framework for resources spread across different public and private clouds. Ultimately, in 2012 the team left EA and poured their experiences and expertise into building DivvyCloud.

Six years later, we are honored to be featured in the Forbes Leadership Blog and to be given a chance to share our experience and insights with leaders in similar challenging environments.

Mitigating the Risk of Operating Workloads in Cloud and Container Services

The self-service and dynamic nature of cloud and container infrastructure creates challenges for risk and compliance professionals who protect their organization with security and governance controls.   It is far too common and too easy for a developer or engineer to misconfigure AWS or Kubernetes and create a vulnerability. Take for example the recent security incident at Weight Watchers where an unsecured Kubernetes console was left exposed.  Luckily this vulnerability was discovered by security researchers who alerted the company rather than exploit it. These misconfigurations are just a further continuation of the same old stories we have seen repeated weekly in the media about AWS S3 bucket leaks.  

So why does this happen so often?  

1. When you have dozens or hundreds of engineers and developers provisioning and configuring cloud and container services, this creates risk by itself.  Not all of these people will know how to configure these services correctly, they won’t necessarily know what security and compliance standards they need to adhere to, and even further they may not know how to apply those standards to these diverse services.  On top of all that, even the best person can miss a step in a SOP or flat out make a mistake.

2. The security teams are often overwhelmed by the rate of change that occurs in cloud and container environments.  Added to that, the tools and controls that worked well for security and compliance in the traditional datacenter do not translate to the public cloud.  This lack of translation means that security and operations teams are unable to get visibility into the security and compliance posture of these environments, and are often left doing the best they can do manually triaging issues when they come to their attention.  Manually having to sort and solve these problems is a frustrating approach and leaves companies open to substantial security and compliance risk.

At DivvyCloud we offer a better way.  Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes).  

First, our software performs real-time, continuous discovery of infrastructure running in cloud and container environments allowing customers to identify risks and threats.  Second, customers can implement out-of-the-box or custom native policy guardrails for cloud and container services that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

Request a demo of DivvyCloud today if you are looking to mitigate the risk of operating workloads and applications in cloud and container services.

How CTO John Honeycutt Has Moved Discovery to the Cutting Edge of Media Ingest and Distribution

Glen Dickson at TVNewsCheck conducted an in-depth interview with Discovery Chief Technology Officer John Honeycutt.  In the interview, Glen dives in deep with John on how he has moved Discovery to the cutting edge of media ingest and distribution by blending traditional supply-chain architecture with the latest in IP and cloud technologies.  He also discusses how through this strategy Discovery has disrupted and revolutionized the media and entertainment industry to the benefit of Discovery and consumers. You can read the full interview with John Honeycutt here.

DivvyCloud is proud to have been core to Discovery’s cloud strategy.  DivvyCloud’s importance to this strategy was recognized in 2016 when Discovery Communications Ventures invested in DivvyCloud.  Discovery decided to invest in DivvyCloud after being an enterprise customer for over a year. At the time of the investment, John Honeycutt said, “Given the value that DivvyCloud has delivered to Discovery in our adoption of the cloud, we see a real potential for growth that we’re excited to be a part of.”

The self-service and dynamic nature of cloud infrastructure creates challenges for risk and compliance professionals who protect their organization with security and governance controls.  Tools and controls that worked well for security and compliance in the traditional datacenter do not translate to the public cloud. Customers like Discovery run DivvyCloud’s software to achieve continuous security governance in cloud environments (AWS, Azure, GCP, and Alibaba).  

First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats.  Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

We mitigate risk by providing virtual guardrails for customers embracing the dynamic, self-service nature of public cloud infrastructure. In doing so, DivvyCloud empowers our customers, like Discovery, to fully embrace the corporate innovation that use of cloud technologies can drive.  

ComputerWorldUK Honors DivvyCloud: One of the Best Cloud Management Tools of 2018!

ComputerWorldUKWe are delighted to announce that Computerworld UK has named DivvyCloud one of the “Best Cloud Management Tools” of 2018.

ComputerWorld UK compiled a list of cloud computing management tools that aim to help manage costs, usage, and ultimately optimize the cloud. DivvyCloud made #2 on their list!

In ComputerWorld UK’s words:

DivvyCloud offers a three-pronged approach to cloud management, focusing on cloud security, compliance, and governance.

 

Able to work with all major cloud providers including AWS, Azure, and Google, this cloud management service will manage cloud costs by ‘enforcing your global tagging policy’, as well as providing analysis of your bills so you can keep your cloud spending under control.

 

It will also reduce the worry associated with complying with these regulations and standards PCI DSS, HIPAA, and GDPR, as well as many others.

We are honored by ComputerWorld UK’s recognition of DivvyCloud being one of the best cloud management tools.

Interested in learning more about how DivvyCloud’s software can help improve your security, cost management, and compliance in the cloud? Sign up for a demo or check us out on your own with a free trial.

What’s New with DivvyCloud? 18.4 – Fourth Feature Release of the Year

 

Twice a quarter DivvyCloud releases new product features, and we are excited to announce our fourth feature release of 2018!  Collaboration with our customers and the community help shape these releases across all the pillars of our product: discovery, analysis, and automated action. 18.4 is jam-packed with goodness — more data, more orchestration, and greater accessibility, including:

  • Support for Alibaba Cloud. We’ve added support across the entire DivvyCloud platform, including insights, bots, and compliance packs, for Alibaba Cloud.
  • A new Azure specific compliance pack that maps to the recently released CIS Microsoft Azure Foundations Security Benchmark.
  • Support for AWS Trusted Advisor which broadens and deepens our ability to provide insights and actions for security, fault tolerance, and cost optimization in Amazon Web Services.
  • Jira integration.  DivvyCloud allows customers to automate remediation of policy violations, and DivvyCloud Bots can now open Jira tickets. Jira is a service management tool from Atlassian.  

Below we dive more deeply into these four highlights from our latest release:

_____________________________________________

  • More cloud support: Alibaba Cloud – Doing business in China?  A lot of our customers are, and they have embraced Alibaba Cloud.  In response, our latest release also welcomes Alibaba Cloud creating parity within our platform with other primary public cloud providers.  DivvyCloud now supports Alibaba Cloud across the entire platform allowing customers to perform real-time, continuous discovery, identify policy violations with Insights, and automate remediation of violations with Bots. Never heard of Alibaba Cloud?  It is the $2B cloud computing arm of Alibaba Group (NYSE: BABA), Alibaba Cloud provides a comprehensive suite of global cloud computing services to power both our international customers’ online businesses and Alibaba Group’s e-commerce ecosystem. In 2017, Alibaba Cloud was placed in the Visionaries’ quadrant of Gartner’s Magic Quadrant for Cloud Infrastructure as a Service, Worldwide. With their world-class infrastructure and ever-expanding global presence, Alibaba Cloud is dedicated to becoming a leading global cloud services provider.

 

  • Improved security and compliance: Azure CIS Insight Pack – In March 2018, Microsoft published the CIS Microsoft Azure Foundations Security Benchmark. DivvyCloud has taken the prescriptive guidance for establishing a secure baseline configuration for Microsoft Azure and implemented it as one of our Insight Packs.  This means that customers can now gain immediate and continued visibility into the posture of their Azure environments against this benchmark, and then use Bots to remediate policy violations.

 

  • Take action:  Trusted Advisor Checks – Trusted Advisor is an online resource to help you reduce cost, increase performance, and improve security by optimizing your AWS environment. DivvyCloud is making Trusted Advisor better by making it more frequent, more accessible, and centralized across your account.  Normally Trusted Advisor refreshes its data once per week unless you manually trigger a refresh. To improve the frequency of this data so that we can use it to drive automation, we automate the refresh of Trusted Advisor every two hours. Teh two-hour refresh means that we can gain identify security risks quickly and take action to remediate these risks.  For example, if a developer puts an API access key inside of GitHub, this will be flagged by Trusted Advisor, DivvyCloud will identify this policy violation, and alert you or take actions that you have specified.

 

  • Integrations: Jira – The basic use of Jira is to track issues, and bugs related to your software and Mobile apps. DivvyCloud’s integration with Jira makes it easy for our bots to open Jira cases and send information about the resources.  Jira is a service management tool from Atlassian.

_____________________________________________

Interested in learning more? Click here to view the full release notes associated with our 18.4 release, or get your free trial and see our features in action.

DivvyCloud delivers comprehensive policy-driven security, compliance, and governance for cloud infrastructure (AWS, Azure, GCP, Alibaba Cloud, VMware, and OpenStack).  Our software performs real-time discovery of connected clouds, distills this data into actionable insights, and then makes it easy to configure policies that are automatically enforced across all clouds.  In essence, we provide virtual guardrails for security, compliance, and governance that help customers like GE, Discovery, and Fannie Mae go big and go fast in the public cloud, but still stay secure and compliant.

The GDPR Impact on U.S. Businesses

On May 25, 2018, the General Data Privacy Regulation (GDPR) went into effect. This new European legislation is changing the way organizations worldwide process and store user, employee, and client data, and there are significant consequences for noncompliance.

GDPR was created to ensure consumer privacy better. Businesses who collect information from consumers in Europe are subject to stricter data protection policies. Organizations now need consumer consent to not only obtain their information but also to use it for any marketing or business purposes. The language of consent must be clear as well as easy to find, read, and understand. Company privacy policies must also be easy to find by consumers.

How are U.S. Companies Affected by GDPR?

U.S. companies that handle data on EU consumers are affected by GDPR. In his article “The Affects of GDPR on North American Companies,” Jonathan Dyble writes two critical points to note: “Firstly if the EU consumer (or subject) is not in the EU when you collect your data, the GDPR does not apply. Secondly, your prospects do not need to purchase from your site for the GDPR to apply to your business. Even if you happen to be collecting data as part of a marketing survey, those EU consumers are protected under the terms of the GDPR.” If a company sends out a marketing survey not directly targeting EU consumers, yet a consumer from England happens to fill out the survey, he/she is not protected by GDPR. However, if the company’s survey references EU consumers in any fashion, those consumers will be protected by GDPR.

Marianne Chrisos, in her article “What Companies are Affected by GDPR?” listed a few questions U.S. based business can ask to find out if they are affected or not:

  • Does the business market to customers in the EU? (Generic marketing – like a Google ad found by an EU customer – wouldn’t count, but targeted marketing, like a Facebook ad for European customers, would.
  • Does the company have a current customer base in the EU?
  • Does the company have any employees that work in the EU?

Answering “yes” to any of these questions means your business will likely be affected by the GDPR regulations. Additionally, these regulations will likely guide companies that accept payment in Euros.

Ultimately, the GDPR means significant changes for personal data, but it can benefit your business in the long-term if you comply with the rules. Full transparency shouldn’t be thought of as a strike from the reaper’s scythe, but instead as a way to build trust, engagement, relationships, and subsequently, revenue with your consumer.

“The GDPR has extensive compliance regulations for many businesses in the United States. It’s important that businesses that are not yet affected begin thinking about data safety and security protocols now, as the GDPR may be indicative of more regulations to come regarding consumer data. The work to ensure compliance with GDPR is extensive, but a commitment to customer data safety and protection is a worthwhile pursuit in this digital age.”

DivvyCloud can help customers stay GDPR compliant by providing guardrails for compliance across Amazon Web Services, Microsoft Azure, Google Compute Platform, Alibaba Cloud, VMware, and OpenStack. Try DivvyCloud for free to see our features in action and how they can help your company become and stay GDPR compliant.

Are European Enterprises Ready for Multi-Cloud?

Enterprises both in the U.S. and across Europe are facing growing pressure to embrace multi-cloud infrastructure. Though IDC research suggests multi-cloud environments will soon be the norm for European enterprises, we look for answers into why the current multi-cloud adoption rate is so low.

In her article “Enterprise readiness for multi-cloud adoption is low across Europe, suggests IDC research” on ComputerWeekly.com, Caroline Donnelly uses IDC research to suggest there is a disparity between the UK and their European counterparts in readiness shifting applications and workloads across multiple cloud providers. IDC surveyed over 600 business executives and IT leaders across Europe (including the UK) on their “readiness to adopt a multi-cloud IT consumption model” and just over a third of respondents said they have no plans to move their applications and workloads from their current cloud provider. UK respondents, however, revealed 29% are plotting such a move.

So what’s the worry amongst European enterprises?

The IDC’s research seems to suggest “a high level of uncertainty within enterprises about how best to pursue a mix and match strategy to sourcing and consuming cloud services from multiple providers.” Even with their concerns, Giorgio Nebuloni, research director for European multi-cloud Infrastructure at IDC, said “virtually all European enterprises will soon use multiple cloud services. The smart ones are already actively planning for those services to be benchmarked, price-compared and selected against each other based on the workload need.”

The IDC’s research also foreshadows a need for enterprises to manage and operate a mix of infrastructure, platform, and software as a service models across private and multiple public clouds. It seems (at least in the present) failure to create a strategy that enables this will be bad for business.

One of the major risks of not transitioning to a multi-cloud environment, both across Europe and the United States, is vendor lock-in. As Microsoft, Google, and Amazon are increasingly entering new markets, companies should be wary about being reliant on a single cloud provider and possibly being put in the position of delivering financial support to a vendor that could be taking business from them.

Implementing a multi-cloud strategy allows for more advantageous contract negotiating and access to best-of-class cloud technologies and services available from every and any cloud technology provider. Access to multi-cloud services creates an opportunity to innovate in ways and with speeds that have previously been impossible, and this is vitally important to company success.

At DivvyCloud, we help customers embrace multi-cloud by providing guardrails for security, compliance, and governance across AWS, Azure, GCP, VMware, and OpenStack. With our multi-cloud platform, developers have the freedom to choose which clouds are best suited to their company’s needs without IT having to develop policy automation and compliance solutions for each cloud.

Schedule a demo to see our features in action and how they can help your company.

Read Caroline Donnelly’s article: “Enterprise readiness for multi-cloud adoption is low across Europe, suggests IDC research.”

What’s New with DivvyCloud? 18.3 – Third Feature Release of the Year

We are thrilled to announce that the new version of DivvyCloud has been released! Twice a quarter, DivvyCloud releases new product features and 18.3 is our third release of 2018.  

We’ve made our Insights and Insight Packs more powerful through expanded security and compliance standards support, especially with NIST 800-53 and NIST CSF, and with additional visualizations.  

We have highlighted just a few of the features that we are excited about (or you can jump right to our full release notes):

_____________________________________________

Release Highlights:

  • Insight Packs map our Insights against the controls found in security and compliance standards, including HIPAA, PCI DSS, CIS, GDPR, SOC 2, NIST CSF, NIST 800-53, ISO 270001, and FedRAMP CCM 3.0.1.  Customers can use these packs to quickly ascertain how their cloud infrastructure scores against these standards. With 18.3, we’ve expanded several Insight Packs, including NIST 800-53 and NIST CSF, adding more than a dozen Insights based on new cloud services added in this release. These additional checks will accelerate customers’ ability to ensure continuous compliance with these standards as they go forward in the cloud.  

 

 

  • Our Insights have become even more powerful with the new ability to visualize the trailing 90 days of historical data points. This is especially useful to establish a benchmark to measure your organization’s improvement against security and compliance standard over time. Many DivvyCloud customers implement our software in “brownfield” cloud environments and this feature helps them report on the impact of the automated actions they have configured in DivvyCloud to enforce these standards.

 

  • AWS Enhancements:  AWS is a rapidly evolving platform. As customers continue to adopt new AWS services, DivvyCloud works to provide additional security Insights and automated remediation capabilities for these services. With this release, DivvyCloud introduces support for DynamoDB, WorkSpaces, and Simple Queue Service (SQS). This brings DivvyCloud’s AWS support to over 40 AWS services.

_____________________________________________

 

Interested in learning more? Click here to view the full release notes associated with our 18.3 release, or schedule a demo to see our features in action.

DivvyCloud delivers comprehensive policy-driven security, compliance, and governance for cloud infrastructure (AWS, Azure, GCP, VMware, OpenStack, etc).  Our software performs real-time discovery of connected clouds, distills this data into actionable insights, and then makes it easy to configure policies that are automatically enforced across all clouds and accounts/subscriptions.  In essence, we provide virtual guardrails for security, compliance, and governance that help customers like GE, Discovery, and Fannie Mae go big and go fast in the public cloud, but still stay secure and compliant.

 

State of Identity Podcast: Policy Automation for the Cloud | DivvyCloud

State of Identity” is the leading podcast for the identity industry. Each week, Cameron D’Ambrosi hosts conversations about the technologies, companies, and paradigms that are defining the world today.

This week, DivvyCloud CEO/Co-Founder Brian Johnson joins Cameron D’Ambrosi as they discuss the security and compliance challenges facing organizations leveraging cloud computing solutions, and how policy automation can help solve them.  

If interested in learning more about DivvyCloud or about how our software can help you improve your security and compliance in the cloud, click here.

Hybrid Cloud & Multi-Cloud: Understanding the Differences

Rapid innovation and the ability to create software faster is the dream of all companies, and this is why the cloud is a game-changer. Cloud solutions eliminate the need for procuring extra hardware and software, enabling organizations to focus on developing their business instead of implementing and maintaining their own IT infrastructure. According to a study by Microsoft, nearly a third of organizations are working with four or more cloud vendors. It would seem that the future of IT isn’t just cloud computing – it’s multi-cloud. However, no large enterprise can fully transition to the cloud in one fell swoop, and that’s where the hybrid cloud strategy comes into play.

In his article “Hybrid Cloud vs. Multi-cloud: What’s the Difference, and Why Does It Matter?,” Neal Matthews, Principal Architect at Cloud Technology Partners, takes an in-depth look at hybrid cloud and multi-cloud strategies. He notes “the two terms are often confused, yet are likely to be the most important over the next few years.”

Hybrid Cloud

For every enterprise whose goal is to migrate entirely to a public cloud provider such as AWS, Google Cloud Platform, or Microsoft Azure, “there is going to be a necessary transition period.”  During the transition period, “the enterprise will have some resources, systems, and workload capabilities that have been migrated to public cloud, while others remain in the enterprise data centers or colo hosting centers.  This interoperability is a common example of a hybrid cloud.”

Multi-Cloud

“This term seems relatively self-explanatory: deploy cloud infrastructure on more than one public cloud provider, with or without an existing private cloud. However, the motivation for WHY companies might consider multi-cloud approaches and architectures is where things get interesting” (Click here to learn why many companies have adopted a multi-cloud strategy).

Traditionally, companies would select a single public cloud vendor with whom to partner.  However, recent trends are showing companies have (or will) rapidly moved to adopting multi-cloud strategies, choosing to work with more than one public cloud provider.

At DivvyCloud, we help customers manage AWS, Azure, GCP, VMware, and OpenStack, and this provides us a unique position to identify and understand trends in cloud computing.  With our multi-cloud platform, developers have the freedom to choose which clouds are best suited for their company’s needs without IT having to develop policy automation and compliance solutions for each cloud.

Schedule a demo to see our features in action and how they can help your company.

Read Neal Matthews’ article, “Hybrid Cloud vs. Multi-cloud: What’s the Difference, and Why Does It Matter?

DivvyCloud Honored as One of Ten “Best Tech Startups” in Arlington, Virginia

We are delighted to announce that The Tech Tribune has named DivvyCloud one of the “Best Tech Startups in Arlington, Virginia.”

In doing their research, The Tech Tribune considered several factors including but not limited to:

  • Revenue potential
  • Leadership team
  • Brand/product traction
  • Competitive landscape
  • Additionally, all companies must be independent (un-acquired), privately owned, at most ten years old, and have received at least one round of funding to qualify.

In The Tech Tribune’s words:

DivvyCloud is a leading developer of innovative technology to automate and optimize cloud infrastructure. We deliver multi-cloud infrastructure visibility and automation to improve security, compliance and cost governance. Our software supports all major cloud providers including Amazon, Microsoft, Google, OpenStack, VMware, Rackspace, IBM Softlayer and DigitalOcean.

The value of DivvyCloud software has been proven with enterprise customers like General Electric, Discovery Communications, and Fannie Mae, among others. DivvyCloud is differentiated in the market with its native multi-cloud policy automation; its patent-pending data harvesting technology; and its platform-first strategy that allows customers and partners to leverage the DivvyCloud platform to develop their own cloud management solutions and products.”

We are honored by The Tech Tribune’s recognition of DivvyCloud being one of the most successful tech startups in Arlington, Virginia.  


If interested in learning more about DivvyCloud or about how our software can help you improve your security and compliance in the cloud, click here

 

Success Stories and Advice From IT Leaders Who Have Migrated to Public Cloud

Organizations are increasingly moving to the cloud – not just for cost-cutting purposes but for business agility as well. There is no shortage of opinions on best practices regarding transitioning to the public cloud, but we can learn from the IT leaders who have seen strategic success as a result of migrating to the cloud.

Clint Boulton, a Senior Writer for CIO, spoke with several of those IT leaders about their business drivers, experiences, and lessons learned in moving to the public cloud.  Many of the IT leaders also offered practical advice for CIO’s looking to strategically transition to the cloud.

Liberty Mutual, CIO, Mojgan Lefebvre:

Experience: When employees complained that downloading large documents from a legacy file system was a chore, Lefebvre adopted a cloud-based content management system running on Amazon Web Services.

 

“Teams spread across 46 offices in 18 countries now download and share roughly 500,000 digital files anywhere in the world by accessing the content from cloud document management system Alfresco, which runs on AWS regional data centers. Such localization serves up the documents with little to no latency while saving Liberty Mutual roughly $21 million in paper, printing and storage costs,” Lefebvre said.

 

Advice:Inform employees about the change in advance and provide training as needed. Also be sure to provide a consistent message to end users and set expectations, and have the processes in place to support end users.”

Live Nation, VP of Cloud Services, Jake Burns:

Experience: The CEO ordered the company to move 100 percent to a public cloud. “He wanted us to be this modern, agile company,” Burns said.

 

“Going all in on the cloud in a cost-effective way can be done, and we’re the proof.”

 

Advice:  “Consider hiring someone with technical and business chops who can understand the costs associated with consuming cloud technologies. That will save you from bill shock. You need to have somebody who understands the technology and who is accountable for costs.”

MetLife, Chief Technology Architect, Alex Seidita:

Experience: MetLife uses Microsoft Azure to power its microservices, including call center capabilities and Infinity, application customers use to store photos, documents, and other content. As a result, MetLife has reduced the time to deploy new virtual machines by an average of 83 percent. The company also consumes IBM Softlayer to operate disaster recovery-as-a-service.

 

“We’ve been able to leverage the same kinds of capabilities internally and externally for automation, which drives speed and agility,” Seidita said.

 

Advice: “CIOs, particularly those working in regulated industries, should seriously weigh what software services are appropriate to move to the cloud. MetLife created a “cloud-fit assessment,” in which application inventory is scrutinized to determine which apps can be moved to the cloud, and which new apps should be developed in the cloud, based on security and governance requirements.”

Many enterprises are well into the adoption phase of cloud migration, and the cloud is a game-changer when it comes to innovation and the ability to create software faster. This is the dream of all companies, and we’ve seen this trend among our customer base as well.

However, there are risks associated with turning up access to the cloud to a large population. For example, with hundreds of developers able to access Amazon Web Services (AWS), ensuring security, compliance and governance can be a challenge for IT managers.

DivvyCloud enables an agentless platform that delivers policy-driven automation for public and private cloud infrastructure. DivvyCloud empowers developers and engineers to innovate and simultaneously protects the corporate IT directive to provide security and compliance. With our multi-cloud platform, developers have the freedom to choose which clouds are best suited for their company’s needs without IT having to develop policy automation and compliance solutions for each cloud. Schedule a demo to see our features in action and how they can help your company.

Read Clint Boulton’s article, “Public cloud: Real-world lessons of strategic success.”

DivvyCloud Hosts Discussion on Media Adoption of the Cloud at NAB Show 2018

DivvyCloud helps media and entertainment companies control and secure their content in their digital supply chain running in the cloud.  Our software provides virtual guardrails for security, compliance, and governance that help customers, like Discovery, Mediacorp, Sky Network Television Limited, and Turner, go big and go fast in the cloud, but still stay secure and compliant.  

At NAB Show 2018, we will be hosting the panel discussion, “Cloud WINS GOLD at the Winter Olympics – how cloud is impacting business strategies in media and entertainment.” Hear industry leaders share insights from the front lines, including Dave Duvall SVP Discovery, Thomas Martin former CIO GE, and Stavros Hilaris CTO Mediavision Cloud.  You can register for the session through the NAB Show website.

You can also visit us at booth # 3432 in the SPROCKIT Hub area in the North Hall, or schedule a time to meet.  The SPROCKIT Hub features the most promising, market-ready media and entertainment entities from around the world – the Best of the Best. These “By Invitation Only” companies, like DivvyCloud, have proven products, customers, services and are ready to scale.

DivvyCloud has been helping to reshape how the media industry adopts cloud computing.   In fact, our impact has been so substantial that in 2016, Discovery invested in DivvyCloud, through Discovery Communications Ventures, after being an enterprise customer for over a year. “Given the value that DivvyCloud has delivered to Discovery in our adoption of the cloud, we see a real potential for growth that we’re excited to be a part of,” said John Honeycutt, Discovery Communications Chief Technology Officer.

Visit our NAB Show page for video and written content from customers Don Browning of Turner and Dave Duvall of Discovery Communications on how they have embraced cloud computing and helped their companies become digital leaders.

We hope to see you at NAB Show 2018!

What’s New with DivvyCloud? 18.2 – Second Feature Release of the Year

DivvyCloud delivers comprehensive policy-driven security, compliance, and governance for cloud infrastructure (AWS, Azure, GCP, VMware, OpenStack, etc).  Our software performs real-time discovery of connected clouds, distills this data into actionable insights, and then makes it easy to configure policies that are automatically enforced across all clouds and accounts/subscriptions.  In essence, we provide virtual guardrails for security, compliance, and governance that help customers like GE, Discovery, and Fannie Mae go big and go fast in the public cloud, but still stay secure and compliant.

We are thrilled to announce that the new version of DivvyCloud has been released! Twice a quarter, DivvyCloud releases new product features and 18.2 is our second release of 2018.  We have highlighted a few features that we are excited about (or you can jump right to our full release notes):

___________________________________________________________

Release Highlights:

  • We have added to our Insight Packs (security and compliance standards.) New to the packs are FedRAMP. The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security assessment. We offer these Insight Packs as a starting point for our customers to accelerate their ability to meet security and compliance requirements.  

Featured Insight Packs

  • Clouds are always changing, and we are always growing with them.  This release adds greater support across all clouds, but there was a special focus on supporting a larger number of Microsoft Azure (ARM), Google Cloud Platform, VMware services, and AWS.
  • DivvyCloud Insights, a collection of filters or how you ask questions about your data, now suggest actions to enforce or remediate best practices, show how related bots have taken action, and can flag issues as resolved.
  • We have enhanced our Badge functionality.
    • What are Badges?  Badges are a DivvyCloud feature that allows you to ‘badge’ your cloud accounts with key/value pairs and use global metadata to manage your cloud infrastructure. These are similar to AWS Tags or GCP Labels, but specific to DivvyCloud functionality. Badges help our customers with dozens or hundreds of cloud accounts and subscriptions to efficiently manage highly complex cloud environments.  
    • Why is this important? You can now dynamically scope Bots using and/or logic, add Badges to new or existing cloud accounts and leverage them to simplify role-based access at scale.  

Interested in learning more? Click here to view the full highlights associated with our 18.2 release, or schedule a demo to see our features in action.

I am pleased to introduce the Intel Compute Card, the future of private cloud.

During my time as an ”Ops Guy” at Electronic Arts, I became very interested in the future of private cloud. For many companies, the future of cloud is a confusing one. While public cloud can provide great benefits such as speed and flexibility, anyone with a pen and paper (or spreadsheet) can quickly see that it is not always the most cost-effective option. As a result, more and more Enterprises are turning to private cloud for some of their applications.  

Before going hog wild and building our own private cloud, it’s worth taking a look at what we have learned from many years of leveraging public cloud. If public cloud has taught engineers anything, it is how to build and deploy applications on commodity hardware. Developers moved applications into the cloud fully aware that the server they are running code on might disappear at any moment. Software development of today has made leaps in bounds towards the idea that an application must be able to deal with server failure without freaking out. The days of yesterday where IT professionals cared for their servers in a way akin to a mother raising her young are gone. Servers today are viewed as ephemeral, being stood up and torn down through standard CI/CD processes. As someone recently said to me, “Server hugging is so 2000’s”

With this knowledge, the question becomes: Can we deploy an internal cloud using some of the same principles of public cloud, namely reduced cost through commodity hardware? Enter the Intel Compute Card. The Intel Compute Card was first seen at CES 2017 and was originally developed to power the next generation of appliances (TVs, Refrigerators, etc..) But for many reasons, Intel may have accidentally built the perfect cloud server.  

Coming in at 94.5m x 55mm x 5mm  the intel compute card is small in stature but not in capabilities. Sporting a dual-core i5 vPro Intel processor, dual-channel  DDR3 4Gb memory, 128Gb SSD storage, integrated ethernet, and graphics this machine has more than enough power to handle most micro-services that are the trademark of today’s distributed architectures. Things get very interesting when one looks at the power consumption of this tiny beast. At ~20 watts, you can get almost 17x the number of cores and memory when compared to a standard 1U server (300 Watts). Furthermore, The Intel Compute Card comes in at just under $200.00 and has a unified form factor for easy replacement. Current docking devices come with an actual eject button, making swapping out a dead node very easy (Seriously – 3 ½” disk style).  

One can quickly imagine a world where your application nodes are powered by disposable, unified, compute cards. No need to worry about “hardware refresh”,  simply pull out the card and slide a new one in. Now obviously, this technology might not be your first option when choosing where to put your database, but as a K8s node?  Interesting….

ABC Tech Zone Interviews DivvyCloud CEO, Brian Johnson

Brian Johnson, DivvyCloud co-founder and CEO, was interviewed by Paul Amadeus Lane of ABC Tech Zone regarding the growing trend of businesses shifting to multi-cloud strategies.

Lane began the interview by asking Johnson why companies were transitioning from single cloud to multi-cloud strategies. Brian responded by stating that cloud providers themselves spent an incredible amount of money and time trying to convince us only one cloud provider was all we ever needed.

Brian continued by explaining how the threat of vendor lock-ins and M&As were among the top reasons contemporary businesses were moving to multi-cloud strategies and how DivvyCloud is helping companies make this change strategically.

(There is also a considerable amount of time spent between Lane and Johnson nerding out over video games.)

To learn more about growing trend of multi-cloud strategies (and video games), watch the interview here.

DivvyCloud Featured on Android Headlines

DivvyCloud was featured on Android Headlines in an article titled “Vendor Lock-Ins, M&As Pushing Firms To Multi-Cloud: DivvyCloud,” written by Dominik Bosnjak.

Brian Johnson, DivvyCloud’s co-founder and CEO, was asked to give his thoughts on why companies are choosing to adopt two or more cloud computing services.

“The threat of vendor lock-ins and M&As are among the top reasons that are pushing contemporary businesses to multi-cloud strategies,” said Johnson.

According to Johnson, the industry shift to multi-cloud solutions currently taking place is unlikely to stop soon. In fact, more and more organizations are transitioning from using a single vendor such as Microsoft Azure, Google Cloud or Amazon Web Services and instead opting for numerous public cloud service providers.

To learn more about the growing trend of multi-cloud strategies, read the article here.

 

DCA Live Honors DivvyCloud as a 2018 Red Hot Cyber Company

We are delighted to announce that DCA Live has named DivvyCloud one of their “2018 Red Hot Cyber Companies.”

This award recognizes us as one of the fastest growing and most successful cybersecurity companies in DC.  DivvyCloud software enables organizations to achieve their cloud computing goals by simplifying and automating security, compliance, and cost optimization of public and private cloud infrastructure. Our software performs real-time discovery of connected clouds, distills this data into actionable insights, and then makes it easy to configure policies that are automatically enforced across all clouds.  In essence, we provide virtual guardrails that help customers like GE, Discovery, and Fannie Mae go big and go fast in the cloud, but still stay secure and compliant.

If interested in identifying security risks and fixing problems before they are exploited, read more on how DivvyCloud’s software can help you improve your security and compliance in the cloud.

Cloud Security is Rapidly Becoming a Forethought

In his article for Forbes titled “With DevSecOps, Security Is No Longer An Afterthought,” Dr. Rao Papolu makes a fantastic comparison between the resistance of organizations needing to put cloud security into the forefront of development plans today and the initial skepticism of the agile movement in years past.  

Developers who “usurped” the waterfall development process and embraced the agile approach were able to deploy up to 46 times more frequently than competitors.

“No one is debating the effectiveness of [the agile approach] anymore, and yet many organizations continue to treat security as an afterthought.” says Dr. Papolu.  He goes on to say, “We’ve been here before.”

The article’s point is plain and clear: As more software and data moves to the web, organizations need to “build proper security from the start.”  

At least once a month we hear about S3 bucket leaks (Fed Ex, Alteryx, National Credit Federation, Verizon, Australian Broadcasting Corporation, Dow Jones, Deep Root Analytics, etc) that have exposed sensitive, personal information for hundreds of millions of people from around the world. This epidemic has seen the theft or loss of more than 9 billion data records in the last five years.

Here’s the problem: Cloud security remains a critical barrier to initial and ongoing adoption of public cloud technologies.

As Dr. Papolu wrote, “The software development landscape is constantly evolving. Developers are under pressure to realize concepts faster than ever before without compromising on quality, all while keeping a keen eye on the overall cost. It can be a tricky balancing act.”

The solution?  DivvyCloud.  

  • Audit and close non-compliant ports open to unauthorized networks (e.g. non-compliant security rules.)
  • Identify API Root Access accounts and ensure two factor authentication is enabled
  • Report and terminate instances running unauthorized images or password policies

This is just the tip of the iceberg on how we can help customers stay secure and compliant in AWS, Azure, and GCP.

If interested in identifying security risks and fixing problems before they are exploited, read more on how DivvyCloud’s software can help you solve your cloud security problems.

Choosing Between AWS, GCP, or Azure? How About All of Them? Increasingly Enterprises Choose Multi-Cloud Strategies

Once a company decides to embrace IaaS and PaaS public cloud computing they then face the challenge of deciding on a vendor, typically AWS, Azure or GCP.  Traditionally, companies would select a single public cloud vendor with whom to partner.  However, over the last 12 months, companies have rapidly moved to adopting multi-cloud strategies, choosing to work with more than one public cloud provider.

At DivvyCloud, we help customers manage AWS, Azure, GCP, VMware, and OpenStack, and this provides us a unique position to identify and understand trends in cloud computing.  In speaking with customers we have identified several drivers that have led to the adoption of multi-cloud strategy as the default for leading companies:

 

  1. Mergers & Acquisitions.  Deloitte reports that “Corporate and private equity executives foresee an acceleration of merger and acquisition (M&A) activity in 2018, both in the number of deals and the size of the transactions. Technology acquisition is the new No. 1 driver of M&A pursuits…”  Increased M&A means that companies are more likely to acquire a new cloud.  Leading IT organizations are being proactive to put in place the people, processes, and tools that will allow them to support all major cloud providers so they aren’t caught flat-footed when a merger or acquisition is announced and they are expected to integrate and operate a new cloud tech stack.
  2. Best of Class. Developers want to build great products, and to do so they want access to the latest, best-of-class cloud technologies and services available from every and any cloud technology provider.  Access to multi-cloud services creates an opportunity to innovate in ways and with speeds that would have previously been impossible, and this is vitally important to company success. According to IDC, “By 2021, at least 50 percent of global GDP will be digitized, with growth driven by digitally-enhanced offerings, operations and relationships. By 2020, investors will use platform/ecosystem, data value, and customer engagement metrics as valuation factors for all enterprises.”  IT leadership at innovative companies are embracing multi-cloud proactively to deliver on the promise of self-service, dynamic, and software-defined infrastructure for developers while upholding the IT organization’s mandate for security and compliance governance.
  3. High Availability / Redundancy. IT leaders recognize that even hyper-scale cloud providers AWS, Azure, and GCP will not be free of service disruptions.  They are building multi-cloud strategies that allow them to ensure that business-critical applications and systems are not reliant on a single cloud.
  4. Vendor Lock-in.  As Forbes points out, companies are increasingly concerned about vendor lock-in and are proactively implementing a multi-cloud strategy.  This allows them maximum flexibility when negotiating pricing and terms.  This multi-cloud strategy also provides a modicum of protection against companies like Microsoft, Google or Amazon, who are increasingly entering new markets, competing against them.  Companies don’t want to be reliant on a single cloud provider and be put in the position of delivering financial support to a vendor that is now taking business from them.
  5. Containers (and really Kubernetes). Developers love containers and DevOps love Kubernetes.  Kubernetes is cloud-agnostic, and you can run your cluster on AWS, GCP, Azure, or any other cloud.  The rise of containers, and especially the popularity and accessibility of Kubernetes creates a new opportunity for companies to now be cloud agnostic, and frankly makes it much easier to be multi-cloud and provides an easier hedge against vendor lock-in.  451 Research analyst Jay Lyman discussed this when he wrote that Kubernetes can “create a consistent developer deployment model across on-premises and hybrid clouds.” As Matt Asay writes, “Kubernetes potentially up-ends the idea of running everything in one particular cloud.”

Automate IAM Security Best Practices in AWS – DivvyCloud

In his article “Easy IAM Security Best Practices for a Secure AWS Cloud,” Anderson Patricio provides an excellent resource that explains several tasks that will bolster IAM security in AWS:
  • Removing the root access key
  • Using users and groups
  • Defining a password policy
  • Managing multifactor authentication
  • Checking IAM user utilization
These are fantastic best practices, but when a company is running at scale in public cloud with tens if not hundreds of accounts in AWS to try to implement and maintain IAM best practices manually is incredibly hard.
DivvyCloud understands this pain, and our solution provides customers with an accessible way to understand your IAM security posture across all your AWS accounts.  In addition, we provide an easy-to-use automation platform that allows you to use our GUI to configure one or more IAM security best practice policies to detect violations and to automatically take actions that you define in the case of said violation.   With DivvyCloud you can automate and enforce all of the best practices documented by Anderson, For example, you can detect and take action on the following checks:
  • Audit if root keys exist
  • Identify that users and groups exist and that users are not getting direct permissions
  • Compliance with company password policy
  • Users who do not have MFA enabled
  • Validate IAM user utilization and disable/remove inactive accounts
This just scrapes the surface of how we can help customers go big and go fast in AWS, Azure, and GCP, but stay secure and compliant.  In essence, DivvyCloud provides virtual guardrails for all of your public clouds and cloud accounts.  Providing a single place to write a single policy and automate its enforcement across all your cloud accounts.  You can read more about the hundreds out-of-the-box best practices related to security, compliance (e.g., NIST CSF and HIPAA), and governance (e.g., tagging).

Stop the Madness – Another Day, Another S3 Bucket Leak Exposing Personally Identifiable Information

News broke today that a “Mountain of sensitive FedEx customer data exposed, possibly for years.”   Sometimes it feels like we are living in the cybersecurity version of the movie Groundhog Day.  Day after day, week after week, we hear about S3 bucket leaks (Alteryx, National Credit Federation, Verizon, Australian Broadcasting Corporation, Dow Jones, Deep Root Analytics, etc) that have exposed sensitive, personal information for hundreds of millions of people from around the world.  It feels like the same day, and the same leak, repeating over and over again.

It doesn’t have to be this way.  You can stop S3 bucket leaks today with one easy step: install DivvyCloud.

In about 15 minutes, you can install DivvyCloud, connect your cloud (AWS, Azure, and GCP) accounts, quickly see S3 buckets that are misconfigured, and then turn on real-time continuous automated remediation of misconfigured buckets.

Make S3 bucket leaks a thing of the past (now and forever). Install DivvyCloud today with a  free 30-day trial and make sure your company never makes the news for an S3 bucket leak.

Are you protecting payment card data well enough in the public cloud?

The 2017 Verizon Payment Security Report asks, “Your payment security might be compliant for the assessment, but how long will it stay that way?” According to the report, 55.4% of businesses achieve full compliance with their annual Payment Card Industry Data Security Standard (PCI DSS) review, but nearly half of these companies then fall out of compliance within a year.

This is incredibly important because 100% of companies that suffered a payment card breach were found to lack compliance with PCI-DSS.  The report elaborates on this point, “Many of the security controls that were not in place cover fundamental security principles that have broad applicability. Their absence could be material to the likelihood of an organization suffering a data breach. Indeed, no organization affected by payment card data breaches was found to be in full compliance with the PCI DSS during a subsequent Verizon PCI forensic investigator (PFI) inquiry.”

So why don’t more companies achieve and maintain compliance?  For many, the challenge is that they simply don’t have the right staffing levels or the right tools to consistently achieve good outcomes when approaching compliance as a manual task.  Automating policy enforcement is a key element to achieving and maintaining compliance.  The report backs this up, “Measure, report and act. Enhance data and security monitoring, detection and response competency through automation, training and performance measurement.”

DivvyCloud helps customers achieve and maintain PCI DSS compliance through the pre-built PCI DSS compliance pack.  This pack provides dozens of prebuilt policies that are mapped back to PCI-DSS directives.  After connecting their public cloud accounts (AWS, Azure or GCP) to DivvyCloud a customer can quickly see if their public cloud environment measures up to these prebuilt policies, and configure Bots (our automated workflows) to enforce or remediate violations of these policies.  This allows companies to quickly move towards achieving compliance, and importantly to stay in compliance.

DivvyCloud continuously monitors cloud infrastructure in AWS, Azure and GCP in real time.  This means that compliance with PCI DSS no longer is a once a quarter exercise where companies lapse in and out of compliance.  DivvyCloud also provides the customer with historical benchmark performance and helps solve the challenge of “control performance vs effectiveness” that the report discusses.

“The performance of security controls should be measured to determine achievement against an established standard benchmark…  Its measurement is based on the amount of time a control meets its intent while in operation, and the amount of time it remains in operation without disruption. It assumes that past achievement is a good indicator of future success.”

The report concludes by saying, “Most companies initiated their PCI Security compliance programs many years ago. By now, they certainly should have processes in place to support their program; making daily management and ongoing control maintenance relatively effortless. Sadly, that’s not always the case.”

DivvyCloud’s policy automation for AWS, Azure, and GCP is here to help if you want to improve your PCI security compliance program and achieve maturity.

In the News: “Security vs. Speed: The Risk of Rushing to the Cloud”

Kelly Sheridan at Dark Reading published a story titled “Security vs. Speed: The Risk of Rushing to the Cloud.”  She summarized the post by saying, “Businesses deploying cloud-based applications and services often overlook critical security steps as they scramble to keep up with the latest technology, and the rush is putting them at risk.”

DivvyCloud sees this as a common challenge among customers who are moving to the public cloud.  A paradigm shift has occurred whereby corporate IT is moving aggressively to deliver self-service access to multiple clouds (AWS, Azure, and GCP primarily) to engineers and developers.  This shift has been driven by the incredible boost that this self-service model to best-of-class cloud services delivers relative to corporate innovation, business agility and competitive advantage.

Kelly describes this shift as such, “‘There’s a lot of customers who have this cloud-first mandate,’ says JK Lialias, senior director of cloud access at Forcepoint. ‘They’ve been told, ‘thou shalt move to the cloud as much infrastructure as you possibly can.'”

She goes on to say, “A lot of pressure is on line-of-business employees to adopt cloud applications and infrastructure, he continues. IT departments are essential in delivering these services and often neglect to understand how on-premises data and processes translate to the cloud.”

This rings true in our experience, we see an increasing number of customers seek out DivvyCloud after first trying to address security challenges using the legacy process and tools that have been used to manage traditional infrastructure.  What they realize is that they need a solution that has been purpose-built to deliver robust security, compliance, and governance for multi-cloud environments operating at scale.  DivvyCloud is exactly this class of product, built from day one to natively manage all clouds (AWS, Azure, GCP, etc) and to automatically take action to enforce policies and remediate violation of policy.  This automation is a key component to cloud infrastructure management, where the rate of change in a software-defined infrastructure environment that is driven by self-service provisioning simply outstrips the ability for teams to manually enforce policy.

We also partially agree with Kelly’s conclusion that, “Experts ‘hope’ to see a slowdown in incidents like AWS bucket leaks and see companies marry caution with speed. However, many will need a wake-up call before adopting best practices.”  We see an increasing number of customers (like GE, Fannie Mae, and Discovery Communications) adopting DivvyCloud software to put in guardrails that enable them to go big and go fast and stay in control, in the public cloud.  However, we see these organizations and many others not waiting for a wake-up call, but instead adopting a proactive, strategic approach to managing cloud infrastructure.

The upcoming Executive Summit on Enterprise Cloud Adoption being co-hosted by DivvyCloud and Discovery Communications on March 19th, at the Discovery HQ in Silver Spring, MD will highlight strategies and tactics by leading experts and organizations. This invite-only summit provides a relaxed environment in which IT executive attendees can build relationships with peers through meaningful conversations and generate new ideas.  You can request an invitation by visiting the event registration page.

Seven out of ten organizations fail the cyber readiness test.

The “Hiscox Cyber Readiness Report 2018,” has been published and one of the major findings is that seven out of ten organizations fail the cyber readiness test. The Hiscox Cyber Readiness Report is compiled from a survey of more than 4,100 executives, departmental heads, IT managers and other key professionals in the USA, UK, Germany, Spain and The Netherlands.

The report amongst other things measures the cyber readiness of respondents using a multi-dimensional model built on best practice in cyber strategy and execution. The report summarizes its findings by saying, “As an end of term report, it might have the words ‘can do better’ scrawled on it in red ink. It highlights the cyber readiness shortcomings of the majority of the organisations in our sample, particularly the smaller ones.”

The report summarizes, “We measured organisations’ cyber security readiness according to the quality of their strategy (broken down into oversight and resourcing) and execution (processes and technology). From this we produced a cyber readiness model that divided respondents into ‘cyber novices’, ‘cyber intermediates’ and ‘cyber experts’. Nearly three-quarters of organisations (73%) fell into the novice category, suggesting they have some way to go before they are cyber-ready. Only 11% qualified as experts.”

The report goes on to say, “Last year was the moment when major international cyber attacks hit the headlines and affected individuals and companies simultaneously in dozens of countries. High profile victims suffered severe reputational and financial damage, sometimes because they had not taken the threat seriously and done the basics, and sometimes because their handling of the breach revealed deeper corporate failings.”

Public cloud adoption and the more recent move to multi-cloud strategies (i.e., using AWS, Azure and GCP, or some combination thereof) has exacerbated the challenge that companies face when trying to address security, compliance and governance challenges.  It seems that the barrage of public stories about misconfigured cloud storage containers leaking sensitive information is weekly.  For example, “Misconfigured Amazon Web Services bucket exposes 12,000 social media influencers,” “Alteryx S3 leak leaves 123m American households exposed,” “Verizon Hit by Another Amazon S3 Leak,” and “Massive Amazon S3 leaks highlight user blind spots in enterprise race to the cloud.”

Cyber security isn’t simple, but the report does point out that companies that are more expert at addressing challenges share one common trait, they are proactive.  “What sets the cyber experts apart from the cyber novices? Nine out of ten (89%) have a clearly defined cyber strategy, most (72%) are prepared to make changes after a breach and 97% incorporate security training and awareness throughout the workforce,” the report states.

DivvyCloud’s customers all share this same trait.  They are proactive, and they use DivvyCloud as part of a clearly defined, policy-driven cyber strategy.  For example, using the DivvyCloud software they define and deploy policies that are enforced in real-time across all of their cloud environments. For example, they have deployed DivvyCloud to proactively (and permanently) solve the storage container leaks that have created so many headlines in the last year.

 

A Look Into the Future of Cloud Innovation

It’s that time of year when IT industry analysts and experts dust off their crystal balls and peer into the future to see what lies ahead for the technology industry. Cloud computing continues to be a sizzling hot topic as enterprises are increasingly moving to the cloud, and there is no shortage of outlooks or opinions on how the cloud will continue to evolve next year.

For example, last week Forrester Research released a new report, Predictions 2018: Cloud Computing Accelerates Enterprise Transformation Everywhere, which takes a look at the top 10 factors that will impact the cloud computing landscape in 2018. According to the report, “In 2018, we’ll cross the significant 50% adoption milestone, and cloud applications, platforms, and services will continue to radically change the way enterprises compete for customers.”

In this InformationWeek article, columnist James Connolly talks to Forrester analyst Dave Bartoletti, one of the authors of the report, about his views on the cloud market. Here are a few of the trends outlined in the article that Bartoletti says to watch for in 2018:

  • A focus on developers breathes new life into private cloud.
  • Cloud applications and development platforms drive culture transformation.
  • Cloud security will become integrated with, and integral to, cloud platforms.

Bartoletti also states that “The cloud is no longer about cheap servers and cheap storage. Cloud today is about innovation.”

We couldn’t agree more. Many enterprises are well into the adoption phase and the cloud truly is a game-changer when it comes to innovation and the ability to create software faster. This is the dream of all companies and we’ve seen this trend among our own customer base as well.

However, there are risks associated with turning up access to the cloud to a large population. For example, with hundreds of developers able to access Amazon Web Services (AWS), ensuring security, compliance and governance can be a challenge for IT managers.

Many enterprises already have a suite of tools that they have used to manage traditional infrastructure. These tools can play an important role in securing cloud infrastructure, but often leave gaps that frustrate IT pros and leave companies open to security and compliance risks. Provisioning systems, like Ansible, combined with infrastructure as code software, like Terraform, help solve some of these challenges but often still fall short of provided comprehensive and universal compliance and security governance. These gaps often lead companies to pull back from the dream of delivering full self-service access to public cloud services.

So, what does all of this mean for the future of innovation?

There has to be a balance between giving developers the freedom and convenience of spinning up their own servers and services, while also maintaining the security and governance of this cloud infrastructure.

DivvyCloud enables an agentless platform that delivers policy-driven automation for public and private cloud infrastructure. DivvyCloud empowers developers and engineers to innovate and simultaneously protects the corporate IT directive to deliver security and compliance. With our multi-cloud platform, developers have the freedom to choose which clouds are best suited for their company’s needs without IT having to develop policy automation and compliance solutions for each cloud.

Our cloud automation tools take the burden off of the IT department by automatically monitoring cloud infrastructure and automating the enforcement and remediation of issues in real time. These virtual “guard rails” provide a pervasive set of security, compliance and cost governance that complements and integrates with existing systems, like Ansible and Terraform, to ensure that cloud infrastructure is well governed.

As we head into 2018, DivvyCloud is well poised to help our customers embrace the cloud computing trends identified by Forrester. If your company wants to be at the forefront of this innovation, contact us by clicking here. Or, you can also find us in Booth #1502 at AWS re:Invent, November 27 – December 1, 2017 in Las Vegas, where we’ll be demonstrating the latest version of the DivvyCloud platform.

Top 5 Tips for Attending re:Invent 2017

Re:invent is one of the cloud computing world’s biggest events, and it’s just around the corner! Whether this is your first time visiting attending or you’ve been before, with an expected 40,000 attendees, more than 400 exhibitors, more than 1,000 breakout sessions and plenty of late night activities this event can be a little challenging to navigate. Here are our top five tips on how to make the most out of your re:invent experience in 2017.

1. Pick the breakout sessions you want to attend and pre-register for them ASAP– Get the most out of the event by signing up for some of the 1000+ breakout sessions and bootcamps ahead of time. There were many disappointed attendees last year when they couldn’t get into sessions they were looking forward to attending. It may take a little time to get your schedule figured out in advance, but something we strongly recommend doing so you don’t miss out!

2. Pack accordingly to get your game on — re:Invent is THE MUST ATTEND cloud event of the year and AWS doesn’t take the cake for their education sessions alone. One of the best parts of this event is the AWSome line up of activities throughout the week. Take advantage of them to avoid mid-week brain burnout! Some of these activities are: 4K Fun Run, re:Play Party, the Broomball Tournament, the Lego Pinewood Derby, the Chicken Wing Eating Contest, and the Pub Crawl…just to name a few! You can check out the full list of activities here. You can register for these events with your event log-in. Be sure to pack clothing suitable for the ones you want to participate in. Blazers won’t really work for the ball pit!

3. Wear comfy shoes — Everyone who has EVER been to a Las Vegas trade show knows the pain your feet are in by day 3. Vegas = walking. Lots of walking. While there are plenty of transportation options; rail, Uber, Lyft, and rental cars to get you around town, those only cover the outdoors. Once you’re inside the massive hotels and convention center, you’ll be walking quite a ways to your destination. Bottom line; if you don’t have a pair of comfy sneakers for the week, order a pair on Amazon before you run out of time. There are some things you can go without in Vegas. However, a good pair of shoes is NOT one of them.

4. Download this year’s re:Invent mobile app – Download the re:Invent mobile app for all the latest event updates, assistance in planning your schedule beforehand, and especially to help you navigate around town during the event. The app is your go-to source for everything pertaining to the event this year. There are some cool interactive features to take advantage of so be sure to check it out!

5. Leave extra space in your suitcase for swag — With more than 400 exhibitors, you’ll inevitably collect lots of swag throughout the week. As you’re strolling through the Exhibit Hall in between sessions, you’ll pick up everything from tee shirts, stickers, fidget spinners, water bottles, drones, tech toys, and more. You’re going to end up with way more than you started with at the beginning of the week. Leave extra space in your suitcase or pack an extra duffle bag so you can lug all those goodies home on Friday! While strolling through the Exhibit Hall, play DivvyCloud’s arcade game and don’t forget to pick-up THE sticker of the day! We’re booth #1502. You can’t miss us this year!

Want to snag a meeting slot with us ahead of time? Great. Click here so we can coordinate with you.

DivvyCloud and How Bots Will Transform Enterprise Infrastructure

DivvyCloud and How Bots Will Transform Enterprise Infrastructure

With the rise of on-demand computing, the pace of potential innovation in an enterprise has increased dramatically. Employees are no longer subject to long lag times to order a new server or limited by the constraints of existing compute power.  The age of cloud computing for the enterprise has arrived, and with it the promise of agility, scalability, and greater business execution.

But there is another side of the coin.  Along with the nimbleness, there is an increase in potential risk. Globally, CIOs, CTOs, CISOs, and heads of infrastructure take a deep breath each time they read headlines about the latest hack or loss of business due to improper management of customer data. If companies do not properly set up guardrails enforce policies, public or hybrid cloud infrastructure quickly become an unwieldy structure that loses the efficiencies it promises and puts the entire enterprise at greater risk.

To properly manage this paradigm shift, enterprises will increasingly require a more robust and effective means to police and protect their cloud infrastructure. They need processes and administration to ensure that they remain secure, compliant, and efficient.

But here’s the challenge: how does an enterprise decentralize control across a large organization and still simultaneously enforce standards that allow them to mitigate risk? If they open Pandora’s Box to innovate, can they maintain integrity across a large infrastructure to properly operate?

Enter automation. Enter bots.

MissionOG invested in DivvyCloud because the company’s platform provides the automation essential to enforce policy, thus reducing risk, provide governance, impose compliance, and increase security across large-scale hybrid cloud infrastructure. By utilizing their platform, companies like GE, Discovery, and Fannie Mae stay agile and innovate, while maintaining the integrity of their technology stack and apply the policy they deem necessary to operate their business.

Core to DivvyCloud’s platform is BotFactory, an easy-to-use interface from which clients can deploy more than 125 standard bots or create their own for specific use cases to manage their existing cloud infrastructure. At scale, policy enforcement cannot and should not be performed manually. With BotFactory, DivvyCloud customers can discover and automatically take action to address policy infringements or security issues. Automation allows for simultaneous offense and defense, resulting in increased innovation and a reduction of risk.

We believe DivvyCloud offers the right solution for this massive market opportunity:

  • Within enterprises, the pace of migration from data centers to a public cloud or hybrid cloud infrastructure has ramped significantly over the last couple of years. Gartner predicts as enterprises become “cloud-first”, spend for cloud management and security services are estimated to grow from $7B today to $14B by 2020.
  • Recent news cycles about the cost of compliance violations and security breaches only buoy the case and support the need for automation at enterprises to operate cloud infrastructure at scale.
  • Rather than single-vendor source, enterprise customers are implementing a hybrid cloud, multi-cloud approach that requires third-party tools to optimize environments.
  • DivvyCloud has built a flexible, extensible platform that helps manage compliance, cost, and security.
  • The solution builds an infrastructure map then detects abnormalities in near-real time based on client specific rules. Bots warn of violations of policy and automate the remediation.

To learn more about how DivvyCloud is helping its clients unlock innovation through cloud automation, please view a select group of their case studies.

By utilizing platforms like DivvyCloud and exercising the power of automation, enterprises can be agile enough to delight their customers, while still being able to sleep at night.

###
George Krautzel
Managing Partner at MissionOG
LinkedIn Profile

DivvyCloud Announces Major Software Upgrade with Version 17.06 Release

DivvyCloud Announces Major Software Upgrade with Version 17.06 Release

DivvyCloud software enables enterprise cloud adoption with multi-cloud policy automation to identify and autonomously fix security, cost and compliance issues

Arlington, Virginia (October 31, 2017) – DivvyCloud, a leading developer of innovative technology to automate and optimize cloud infrastructure, today announced the latest version of the DivvyCloud platform; simplifying how users view, identify, and automatically fix cloud infrastructure problems for good — all in just one click. The version 17.06 release launches ‘Insights’, making it easier to identify resources, and monitor and automate security, compliance, and cost governance. 17.06 key features include Insight Templates, Insight Store, One-Click Bot Creation to Take Action, and Complete Visibility of All Resource Types.

See It: Complete Visibility of All Resource Types
One of the most valuable improvements in 17.06 is resource visibility. DivvyCloud understands the importance of creating a true “single-pane of glass” for our customers managing large amounts of resources. The updated Resource section achieves this single-pane of glass view by organizing and presenting all resources in an intuitive and familiar Compute-Storage-Network-Management framework. Within that framework, Resources can filtered by a combination of cloud accounts, Resource Groups, or any of hundreds of filters designed to help understand and interact with infrastructure to speed resource discovery and problem resolution.

Identify It: Insights and Insight Store
Insights are a powerful new tool within the DivvyCloud platform that provides customers with a clearer view of their hybrid-cloud infrastructure. With more than 90 pre-packaged Insights to choose from, the newly released Insight Store has customizable templates that give cross-account visibility to the most important issues in the cloud. Each template addresses a common problem in the cloud by showing which of your resources is at risk for that vulnerability. Customers can see potential security and compliance issues, enable best practices, and optimize their infrastructure with the use of these Insights.

Fix It: One-Click Bot Creation to Take Action
After customers have selected an Insight, they can automate remediation actions quickly and simply with the new one-click Bot Template Creator. Designed to respond directly to Insights, customers now can simply click one button to deploy a Bot to take user-defined action when non-compliant resources are detected. Paired with the Insights feature, customers are now empowered to make quick and effective decisions on how to deal with risky resources, while DivvyCloud’s Bots automatically enforce those decisions.

Brian Johnson, CEO of DivvyCloud, said, “Consistent with DivvyCloud’s development process, many of the improvements were driven by conversations and guidance from our enterprise customers. The demand for Insights and the associated enhancements is significant. Customers need the real time ability to discover risks, and with one-click take action to solve them not only on a one-time basis, but too guard against recurrence in perpetuity. Insights are a continuation of our mission to create and deliver value for our enterprise customers as they adopt and rapidly scale in the public cloud.”

Next month, DivvyCloud will showcase the version 17.06 release’s newest capabilities at AWS re:Invent, November 27 – December 1, 2017 in Las Vegas (Booth #1502). Those interested in meeting the DivvyCloud executive team for a product demonstration can do so by clicking here.

About DivvyCloud
DivvyCloud software enables organizations to achieve their cloud computing goals by simplifying and automating compliance and optimization of public and private cloud infrastructure. Using DivvyCloud, customers can leverage programmatic Bots to identify and remediate security, cost and compliance problems in real time. DivvyCloud was founded by seasoned cloud technologists who understand first hand what is necessary to succeed in today’s fast-changing, multi-cloud world.

###
Media Contact
Meredith Bagnulo
PR for DivvyCloud
meredith@bagnulocomm.com
(303) 513-7494

What’s New in DivvyCloud?

Simplify how to identify cloud infrastructure risks with “Insights”

For organizations managing a public- or hybrid- cloud, visibility and automation are paramount to ensure a secure infrastructure. To be effective, visibility and automation must be easy to achieve, especially when managing countless resources across multiple clouds and work environments. IT needs to be able to quickly see and understand what resources exist and if any of them are at risk without a complicated process. In response to the growing complexity of our customer needs and concerns, we introduced significant improvements to our platform in the latest 17.06 release. Launched in early October, 17.06 simplifies the user experience by making resource discovery, monitoring, and automation possible in just one-click. Here’s what you can expect from 17.06.

Insight Templates & Insight Store

Insights are a powerful new tool within the DivvyCloud platform that provides users with a clearer view of their cloud infrastructure. With more than 90 pre-packaged Insights to choose from, our Insight Store has customizable templates that give cross-account visibility to the most important issues in the cloud. Each template addresses a common problem in the cloud by showing which of your resources is at risk for that vulnerability. Users can see potential security and compliance issues, enable best practices, and optimize their infrastructure with the use of these Insights. Our customers have questions about the state of their clouds and want to get answers without worrying about creating custom filters or Bots for every use case that interests them. We want that experience to take less time for the user while keeping the process approachable and accessible.

One-Click Bot Creation to Take Action

After you have chosen your Insights, you can automate remediation actions quickly and simply with our one-click Bot Template Creator. Designed to respond directly to your Insights, users can simply click one button to deploy a Bot to take user-defined action when non-compliant resources are detected. Paired with the Insights feature, customers are now empowered to make quick and effective decisions on how to deal with risky resources, while our Bots automatically enforce those decisions.

Complete Visibility of All Resource Types

One of the most valuable improvements in 17.06 is resource visibility. We understand the importance of creating a true “single-pane of glass” for our users managing large amounts of resources. The updated Resource section achieves this single-pane of glass view by organizing and presenting all resources in an intuitive and familiar Compute-Storage-Network-Management  framework. . Within that framework, Resources can filtered by a combination of cloud accounts, Resource Groups, or any of hundreds of filters designed to help you understand and interact with your infrastructure to speed resource discovery and problem resolution.

To learn more about the 17.06 release watch this video. You can learn more about DivvyCloud by visiting our website at www.divvycloud.staging.wpengine.com.

Former GE CIO Thomas Martin Joins DivvyCloud as Advisor, Presenting at AWS re:Invent 2017

Former GE CIO Thomas Martin Joins DivvyCloud as Advisor, Presenting at AWS re:Invent 2017

DivvyCloud software enables enterprise cloud adoption with multi-cloud policy automation to identify and autonomously fix security, cost and compliance issues

Arlington, Virginia (October 29, 2017) – DivvyCloud, a leading developer of innovative technology to automate and optimize cloud infrastructure, today announced that Thomas Martin has joined as an advisor.  He will be presenting with DivvyCloud at booth (#1502) on ‘Cloud Vulnerabilities and Security.’

Brian Johnson, CEO of DivvyCloud, said, “I am very pleased that Thomas has chosen to work with us. As we continue to add feature functionality to our platform, his industry expertise and background in cloud operations at massive scale will undoubtedly help us to navigate the infrastructure security needs of the enterprise-level, multi-org business structure. We are excited to have him on-board during this critical growth phase of DivvyCloud.”

Martin joins DivvyCloud as a former CIO, and technology leader at the General Electric Company. Prior to leaving GE, Thomas was the Executive Vice President of Application Transformation tasked with moving 9,000 legacy workloads to public and private cloud infrastructure. He has been a leading evaluator, adopter, and advocate of innovative tools and emerging technology that drive effective operation of cloud infrastructure at scale.

Next month, Thomas will be joining DivvyCloud as they showcase their platform’s newest capability; ‘Divvy Insights’ at AWS re:Invent, November 27 – December 1, 2017 in Las Vegas. If you are interested in how DivvyCloud can help your business, meet-up with the team for a product demonstration by clicking here.

About DivvyCloud

DivvyCloud software enables organizations to achieve their cloud computing goals by simplifying and automating compliance and optimization of public and private cloud infrastructure. Using DivvyCloud, customers can leverage programmatic Bots to identify and remediate security, cost and compliance problems in real time. DivvyCloud was founded by seasoned cloud technologists who understand first hand what is necessary to succeed in today’s fast-changing, multi-cloud world.  

###
Media Contact
Meredith Bagnulo
PR for DivvyCloud
meredith@bagnulocomm.com
(303) 513-7494

SprockIT and NAB Show Welcome Nine New Media, Entertainment and Technology Startups to Partnership Program

Originally from SprockITglory.com

POSTED ON OCTOBER 17, 2017

The new startups cap off a banner quarter for current SPROCKIT startup and corporate members, who raised more than $37 million in funding and made significant partnership announcements since August 2017

NEW YORK–(BUSINESS WIRE)–SPROCKIT, the global community that curates, connects and fosters collaboration between market-ready startups and media, entertainment and tech companies to drive innovation in collaboration with NAB Show, today announced nine new startups selected to participate in the year-long program.

“Now in our fifth year of bringing solutions to the biggest challenges in the media, entertainment and technology industries, SPROCKIT’s proven success in curating, connecting and fostering collaboration between startups and corporate members continues to garner a very strong pool of applicants,” said Harry Glazer, founder and CEO, SPROCKIT. “SPROCKIT is pleased to welcome elite startups including Apptimize, Data+Math, Limbik, Seek, Social Flow, Trint,Vizbee, Wibbitz and Wochit into our SPROCKIT class of 2017.”

The companies cap off a banner quarter for current SPROCKIT members and partners. Highlights include:

  • Current SPROCKIT startups raised more than $37 million in funding this quarter, including DivvyCloud ($6M led by RTP Ventures); ICX Media ($6.6M led by Grotech Ventures with participation from NRV, PJC and Avonlea Capital); Streamroot($3.2M from Partech Ventures, Techstars Venture Capital Fund, Verizon Ventures and R/GA); and VideoAmp ($21.9M led by Mediaocean with participation from RTL Group, GoAhead Ventures, StartUp Capital Ventures, Anthem Venture Partners, Wavemaker Partners, and Simon Equity Partners)
  • Elastic Media announced a partnership with Channel 2 News, Israel’s leading news broadcaster, to deliver news broadcasts to mobile devices via Elastic Media’s platform.
  • Pixability won the Video Innovation Award from SPROCKIT corporate member Google and its Premier Partner program.
  • Streamroot was selected as one of eight participants in the inaugural Verizon Media Tech Venture Studio program, led by SPROCKIT corporate member Verizon Digital Media in partnership with R/GA, alongside SPROCKIT alumnus Scorestream.

SPROCKIT will convene the full 2017 class of industry-vetted emerging companies with its world-class corporate partners, including Google, Fox Networks Group, Hearst Television, Samsung NEXT, TEGNA Inc., Univision Communications Inc. and Verizon Digital Media Services, at its exclusive SPROCKIT Sync forum, being held October 17, 2017 at Samsung NEXT in New York prior to NAB Show New York. Attendees will meet to tackle cross-sector challenges, forecast trends and bring innovative solutions to market.

“Our customers expect us to utilize the most cutting-edge solutions and products available, and SPROCKIT has a proven track record of curating and connecting us to startups at the forefront of innovation,” said Gus Warren, managing director, Samsung NEXT. “We are pleased to be partner with SPROCKIT to host this year’s SPROCKIT Sync NYC and meet with some of the most compelling innovators in the industry.”

Startups interested in participating in the SPROCKIT program are invited to apply here. Applications will be reviewed on a rolling basis, with accepted startups invited to participate in future SPROCKIT Syncs as well as the SPROCKIT Hub at the annual NAB Show in Las Vegas and other key industry events, to foster communication and collaboration.

ABOUT SPROCKIT

SPROCKIT is a global community that curates, connects and fosters collaboration among leading media, entertainment and technology companies and market-ready startups to bring innovative products, services and revenue models to market. Since its launch in 2013, more than 100 emerging companies have participated in SPROCKIT, many of which have experienced successful funding rounds, partnerships and acquisitions with companies including SPROCKIT’s corporate sponsors. Learn more at sprockitglory.

ABOUT NAB SHOW

NAB Show, held April 7-12, 2018 in Las Vegas, is the world’s largest convention encompassing The M.E.T. Effect, the convergence of media, entertainment and technology. With 103,000 attendees from 161 countries and 1,800+ exhibitors, NAB Show is the ultimate marketplace for solutions that transcend traditional broadcasting and embrace content delivery to new screens in new ways. From creation to consumption, across multiple platforms and countless nationalities, NAB Show is where global visionaries convene to bring content to life in new and exciting ways. For complete details, visit nabshow.

CONTACTS

SPROCKIT
Elyssa Rae, 804-338-3102
elyssa@sprockitglory.comor
NAB Show
Ann Marie Cumming, 202-429-5350
amcumming@nab.org

Jumpstarting Enterprise Hybrid-Cloud with VMware Cloud on AWS

Enterprise customers with VMware installations in their datacenters can now quickly shift workloads into AWS using VMware Cloud. Almost a year after the initial announcement, this long-anticipated offering is now a reality and ready for mainstream consumption.

Based on VMware vSphere, with optimized access to AWS services, the offering is delivered, sold, and supported by VMware as an on-demand service with all the hardware scalability benefits of AWS bare metal infrastructure beneath it.

So, what’s cool about the offering?

  • As a SaaS offering, VMware Cloud runs as its own stack including NSX, vSAN, and vSphere. Unless accessing other AWS services, customers won’t even realize they are running on AWS as a virtual extension of their own data center.
  • Full access to all AWS native services through the public API endpoints, without additional networking charges.
  • Flexibility to shift workloads between the data center and AWS cloud.
  • The ability to leverage existing VMware licenses to secure pricing discounts (maximum 25% off list depending on license type.)

What stinks about it?

  • The minimum host configuration requirement is 4 hosts per cluster. On demand pricing of $8.3681 per hour per host would require a minimum consolidation ratio of 3.9 to reach potential native cloud pricing of $0.06 per comparable instance (bandwidth charges not included.)
  • 50% savings over the above host pricing can be obtained by committing to 3 years of reserved hosts. Unfortunately, just like reserved native cloud instances, you are charged for every hour of the commitment regardless of whether the instances are running or not.
  • Workload mobility is currently limited to only cold migration to transfer workloads to the cloud Software Defined Data Center, SDDC. (Cross-cloud vSphere vMotion migration is on the product roadmap, but no date commitments have been provided.)
  • To use vCenter Hybrid Linked Mode you will need to be running vSphere 6.5d or later; You can however do cold migrations of the VMs without it.

Key Take-Aways…

Don’t expect public cloud instance pricing, but VMware has eliminated any excuses for most enterprise customers to start the public cloud transition, if only for Dev/Test workloads. Taking advantage this PaaS/SaaS offering will help reduce the internal IT team’s workload to support these VMs.

With full access to native AWS services, using VMware Cloud as a foundation, your Application teams can begin to leverage cloud services such as Lambda, RDS, DynamoDB and Redshift without having to do cloud transformation migration of the core application.

It’s clear that the VMware Cloud offering can jumpstart your enterprise hybrid cloud efforts, but just like with native cloud services, the tendency to overprovision, misconfigure, and abandon running resources is real and you must manage these actions to ensure a secure cloud environment as well as managing runaway cost. This starts with a well implemented tagging strategy, in combination with continuous monitoring, and an action driven compliance engine.

Key areas to consider and control are:

  • Policy automation to ensure compliance with security policy controls and asset configurations
  • Operational automation tied to storage, CPU and memory allocation of virtual instances.
  • Resource cost management through downsizing over-provisioned instances, stopping dev/test instances off-cycle, and eliminating stranded resources such as orphaned or underutilized hypervisors

Whether your enterprise cloud efforts are focused on the native consumption of public resources, establishing a hybrid cloud footprint both on premise and off, or you are just starting out by migrating workloads to the new VMware Cloud on AWS platform, having third party governance and automation platform is a cornerstone feature to drive consistent policy adoption, ensure security compliance, and optimize efficient consumption of resources.


Thomas Martin is a former CIO, and technology leader of the General Electric Company.  Prior to leaving GE,  Thomas was the Executive Vice President of Application Transformation tasked with moving 9000 legacy workloads to public and private cloud infrastructure.  He has been a leading evaluator, adopter, and advocate of innovative tools and emerging technology that drive effective operation of cloud infrastructure at scale.

DivvyCloud Appoints Christopher Hertz as Chief Marketing Officer

DivvyCloud Appoints Christopher Hertz as Chief Marketing Officer

DivvyCloud software enables enterprise cloud adoption with multi-cloud policy automation to identify and autonomously fix security, cost and compliance issues

Arlington, VA (October 5, 2017) – DivvyCloud, a leading developer of technology to automate and manage cloud infrastructure, today announced the expansion of its executive team with the appointment of Christopher Hertz as Chief Marketing Officer.  Hertz will lead DivvyCloud’s sales and marketing teams to help drive growth and customer success.

Hertz’s hire comes on the heels of DivvyCloud’s announcement that it received $6,000,000 in equity funding led by RTP Ventures. DivvyCloud will use the funds to scale its sales and marketing operations, under Hertz’s leadership, as well as accelerate development of its cloud infrastructure governance and security platform.

“It is an exciting time to join the DivvyCloud team.  Long-term customers such as General Electric, Discovery Communications and Fannie Mae, use DivvyCloud to enable their multi- and hybrid- cloud strategies,” said Hertz. “We empower our customers to have their cake and eat it too when it comes to taking advantage of all the benefits of cloud infrastructure while automating compliance and remediation of common risks associated with operating in the cloud at scale.  Any enterprise scaling its use of public and hybrid cloud can achieve the same success by deploying DivvyCloud to reduce cost, improve security and ensure compliance. I am excited to help accelerate growth for DivvyCloud and unlock value for our customers.”

Hertz brings 20 years of strategic business, sales and marketing experience in enterprise software, cloud technologies, and IT services.  Prior to joining DivvyCloud, Hertz was founder and president of New Signature, the IT consulting firm that helped hundreds of customers migrate to the cloud.  Under Hertz’s leadership, New Signature achieved 12 years of consecutive double-digit revenue growth and was named Microsoft’s United States Partner of the Year in 2014 and 2015.  Hertz exited the company after selling to BSI Partners, LLC as part $35M Series A investment from Columbia Capital. Hertz holds a Master of Business Administration from the MIT Sloan School of Management and a Bachelor of Science with a double major in Information Management and Technology and Anthropology from Syracuse University.

“We’re thrilled to welcome Chris aboard during this exciting period of growth,” said Brian Johnson, DivvyCloud CEO. “He is a visionary, results-oriented, leader with deep experience helping customers adopt cloud and accelerate the maturity of their cloud operations.  His passion for delivering amazing experiences and unlocking shared value for our customers fits perfectly with our culture and philosophy.”

About DivvyCloud
DivvyCloud software enables organizations to achieve their cloud computing goals by simplifying and automating security, compliance and cost optimization of public and private cloud infrastructure. Using DivvyCloud, customers can leverage programmatic Bots to identify and remediate common cloud problems in real time. DivvyCloud was founded by seasoned technologists who understand firsthand what is necessary to succeed in today’s fast-changing, multi-cloud world. For more information, visit: https://divvycloud.com.

###
Media Contact
Meredith Bagnulo
PR for DivvyCloud
meredith@bagnulocomm.com
(303) 513-7494

DivvyCloud Secures $6M in Series A Funding Led by RTP Ventures

DivvyCloud Secures $6M in Series A Funding Led by RTP Ventures

DivvyCloud software enables enterprise cloud adoption with multi-cloud policy automation to identify and autonomously fix security, cost and compliance issues

Arlington, VA (September 6, 2017) — DivvyCloud, a leading developer of innovative technology to automate and manage cloud infrastructure, today announced that it has received $6,000,000 in equity funding led by RTP Ventures. DivvyCloud will use the funds to scale its sales and marketing operations as well as accelerate development of its cloud infrastructure governance and security platform.

“Large IT organizations embracing the agility and cost-effectiveness of a devops-driven cloud strategy face a dilemma: how can we keep our developer teams agile and productive while maintaining controls our business requires?,” said Kirill Sheynkman, Managing Director of RTP Ventures. “Only a team that experienced these challenges firsthand can come up with a solution. And Divvy nailed it — a flexible, extensible, open framework for creating a policy enforcement mechanism for modern hybrid cloud deployment. DivvyCloud builds complex, technical products led by an experienced team targeting businesses in large, “high need” verticals — that’s RTP’s investment theme and Divvy fits it to a T.”

The value of DivvyCloud software has been proven with enterprise customers like General Electric, Discovery Communications and Fannie Mae, among others. DivvyCloud is differentiated in the market with its native multi-cloud policy automation; its patent-pending data harvesting technology; and its platform-first strategy that allows customers and partners to leverage the DivvyCloud platform to develop their own cloud management solutions and products.

“For two years, DivvyCloud’s automation platform has been a foundational component of our enterprise cloud adoption strategy. DivvyCloud helps to ensure our fast-growing cloud footprint remains secure and cost optimized while helping to integrate cloud into our existing IT operations,” said Dave Duvall, SVP of Infrastructure at Discovery Communications. “The speed at which DivvyCloud innovates and introduces new capabilities helps us stay ahead of problems.”

Product investments will include the expansion of industry specific policy automation, and incorporating new innovative cloud services from AWS, Azure, Google and other leading cloud technologies. DivvyCloud also plans to launch support for container technologies such as Docker later this year allowing automated enforcement of security, cost and compliance across the increasingly complex landscape of virtual cloud infrastructure.

“Cloud computing is a dynamic and fast-changing space and this new funding enables us to expand our reach in serving the needs of enterprises large and small struggling to manage their cloud infrastructures,” said Brian Johnson, CEO of DivvyCloud. “With RTP Ventures’ deep experience in the SaaS space, their expertise will be invaluable as we take DivvyCloud to the next level.”

About DivvyCloud

DivvyCloud software enables organizations to achieve their cloud computing goals by simplifying and automating security, compliance and cost optimization of public and private cloud infrastructure. Using DivvyCloud, customers can leverage programmatic Bots to identify and remediate common cloud problems in real time. DivvyCloud was founded by seasoned technologists who understand firsthand what is necessary to succeed in today’s fast-changing, multi-cloud world. For more information, visit: www.divvycloud.staging.wpengine.com.

Media Contact
Meredith Bagnulo
PR for DivvyCloud
meredith@bagnulocomm.com
(303) 513-7494

DivvyCloud responds to latest AWS feature with new security rule description bot

On August 31, AWS announced its new ability to add descriptions to security group rules. Previously, descriptive text was only available for identifying security groups. The challenge with this limitation was being able to quickly recognize the purpose of the security group rule without any context.

Security group rules are categorized by type, protocol, port range and source. For example, you could be looking at a rule that is known as SSH, TCP, 22, 93.12.35.32/32, but it’s very hard to tell where it came from, who created it, or what it is for. This is like looking for someone in a crowd but only having their social security number, blood type and date of birth. How would you be able to identify who they were if you were only looking for them? As it turns out, this particular rule shows someone opened SSH from a public WiFi access point at a Starbucks in Chicago! 

In response to this latest feature, DivvyCloud created a new audit bot that quickly locates security group rules that do not have descriptions. Maintaining and cleaning up these rules is big concern for organizations, and having an automated method to address these issues can save a great deal of time and more efficiently protect the cloud infrastructure.

When the time comes to auditing these resources, it can be almost impossible to tell if it is still needed, what it was for, or if it provides a risk for the organization. This can be problematic for organizations that are juggling thousands or tens of thousands of security group rules. This addition to AWS services is intended to greatly reduce operator error during the auditing and security management process.

To learn more about this and other features DivvyCloud offers visit www.divvycloud.staging.wpengine.com.

DivvyCloud Announces DivvyCloud Platform for VMWare Clouds on AWS

DivvyCloud Platform now for VMWare Clouds on AWS

DivvyCloud software provides customers with hybrid-cloud visibility and policy automation to identify and remediate security, cost and compliance issues.

August 28, 2017 — DivvyCloud, a leading developer of innovative software to automate and manage multi-cloud infrastructure at scale, today announced that DivvyCloud Platform is available to customers of VMware Cloud™ on AWS. Launched today with initial availability in AWS US West (Oregon) region, VMware Cloud on AWS brings together VMware’s enterprise-class Software-Defined Data Center (SDDC) software and elastic, bare-metal infrastructure from Amazon Web Services (AWS) to give organizations consistent operating model and application mobility for private and public cloud. DivvyCloud Platform enables consistent policy enforcement and automation of cloud best practices to customers of VMware Cloud on AWS.

DivvyCloud’s software is unique in the marketplace with its ability to track real-time changes across clouds and take customer-defined, autonomous action to fix problems and ensure policy compliance. Customers can leverage standard automation bots to proactively address a wide range of security, cost and compliance challenges commonly faced by any organization adopting or expanding their cloud infrastructure.

“As an ISV focused on compliance automation, we are proud to support customers of VMware Cloud on AWS. DivvyCloud has collaborated with VMware and AWS since our inception and believe this new offering will simplify and accelerate cloud adoption by enterprise customers,” said Brian Johnson, CEO, DivvyCloud.

VMware Cloud on AWS technology partners enable customers to deploy the same proven solutions seamlessly in both the public and private cloud. VMware simplifies the deployment and eliminates the need for partners to refactor solutions for VMware Cloud on AWS. If a partner solution works on-premises in a VMware vSphere® environment, it will easily support VMware Cloud on AWS. VMware technology partners complement and enhance native VMware Cloud on AWS service and enable customers to realize new capabilities.

“VMware Cloud on AWS provides customers a seamlessly integrated hybrid cloud offering that gives customers the SDDC experience from the leader in private cloud, running on the leading public cloud provider, AWS,” said Mark Lohmeyer, vice president, products, Cloud Platforms Business Unit, VMware. “Solutions such as the DivvyCloud Platform enable IT teams to reduce cost, increase efficiency, and create operational consistency across cloud environments. We’re excited to work with partners such as DivvyCloud to enhance native VMware Cloud on AWS capabilities and empower customers with flexibility and choice in solutions that can drive business value.”

About VMware Cloud on AWS
Delivered, sold and supported by VMware as an on-demand service, and running on elastic, bare-metal AWS infrastructure, VMware Cloud on AWS is powered by VMware Cloud Foundation™, the unified SDDC platform that integrates vSphere, VMware vSAN™ and VMware NSX® virtualization technologies. With the same architecture and operational experience on-premises and in the cloud, IT teams can quickly derive business value from use
of the AWS and VMware hybrid cloud experience. For more information on the VMware Cloud on AWS partner ecosystem, visit: http://cloud.vmware.com

About DivvyCloud
DivvyCloud software enables organizations to achieve their cloud computing goals by simplifying and automating security, compliance and cost optimization of public and private cloud infrastructure. Using DivvyCloud, customers can leverage programmatic Bots to identify and remediate common cloud problems in real time. DivvyCloud was founded by seasoned technologists who understand first hand what is necessary to succeed in today’s fast-changing, multi-cloud world. For more information, visit: www.divvycloud.staging.wpengine.com.

VMware, VMware Cloud, vSphere, Cloud Foundation, vSAN, and NSX are registered trademarks or trademarks of VMware, Inc. in the United States and other jurisdictions.

Media Contact(s):
Meredith Bagnulo
PR for DivvyCloud
meredith@bagnulocomm.com
(303) 513-7494

VMware

VMware has been the virtualization engine of the enterprise for more than a decade. DivvyCloud allows customer to define operating policies and standards for their VMware environments.

AWS Re:invent 2017

DivvyCloud is sponsoring and will have a booth this event.

Booth: #1502
Dates: Nov 27-Dec 1, 2017
Location: Sands Expo Hall, Las Vegas, NV

DivvyCloud Executive Speaker Summit

DivvyCloud is hosting and speaking at this event.

*Invitation only*
Date: Oct 23, 2017
Location: Discovery Communications Headquarters

 

BrightTalk Webinar

DivvyCloud is speaking at this event.

Dates: Oct 18, 2017, 2PM EST
Location: Virtual, www.brighttalk.com

AWS Meetup Montreal

DivvyCloud is speaking at this event.

Dates: October 12, 2017
Location: Montreal, Quebec, Canada

AWS Meetup Toronto

DivvyCloud is speaking at this event.

Dates: September 28, 2017
Location: Toronto, ON, Canada

VMWorld 2017

DivvyCloud is sponsoring this event.

 

Booth: #700-G
Dates: August 27-31, 2017
Location: Mandalay Bay, Las Vegas, NV

AWS Summit NYC

DivvyCloud sponsored this event.

Booth: #541
Dates: August 14
Location: Jacob K. Javits Center, New York, NY

Black Hat

DivvyCloud sponsored this event.

Dates: July 26-27, 2017
Location: Mandalay Bay, Las Vegas, NV

Get Started with an Enterprise Trial

Deploy an enterprise version of DivvyCloud