Guardrails for Cloud & Container Security

Automate Security of Your Cloud and Container Infrastructure

Identify security risks in real-time and take automatic, user-defined action to fix problems before they’re exploited.

See 10 Example Policies

Guardrails for Cloud & Container Security

Automate Security for Your Cloud and Container Infrastructure

Identify security risks in real-time and take automatic, user-defined action to fix problems before they’re exploited.

See 10 Example Policies

Achieve multi-cloud and container security today

Amazon

Microsoft

Google

Alibaba

Kubernetes

Achieve multi-cloud and container security today

Amazon

Microsoft

Google

Alibaba

Kubernetes

Top Security Risks that DivvyCloud Protects you From

Data Breach

Lack of Visibility & Transparency

Insecure Interfaces and APIs

Misconfigurations

User & Permission Management

Weak Authentication

Malicious Insiders

Account Hijacking

Abuse of Cloud Services

Protect your company with 165 out-of-the-box policies: See 10 example policies

Top Security Risks that DivvyCloud Protects you From

Data Breach

Lack of Visibility & Transparency

Insecure Interfaces and APIs

Misconfigurations

User & Permission Management

Weak Authentication

Malicious Insiders

Account Hijacking

Abuse of Cloud Services

Protect your company with 165 out-of-the-box policies: See 10 example policies

Take the CIS Benchmark Challenge

Install DivvyCloud and see how your cloud and container security measure up

Customers Love and Trust DivvyCloud

“DivvyCloud is a way to deploy policy, minimize blast radius and give developers the freedom to operate within the guide rails of safety.”

Thomas Martin

Head of Application Modernization, GE Digital

Secure Your Cloud: 10 Examples of our 165 Out-of-the-Box Policies

Storage Container Exposing Access To World

Global API Accounting Config records API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the specific cloud service. Global API Accounting provides a history of API calls for each account, including API calls made via the management console, SDKs, command line tools, and other cloud services. Maps to Security Standards:

  • NIST Cyber Security Framework (CSF): ID.RA-1
  • NIST 800-53: SC-7
Cloud Account Without Global API Accounting Config

Global API Accounting Config records API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the specific cloud service. Global API Accounting provides a history of API calls for each account, including API calls made via the management console, SDKs, command line tools, and other cloud services. Maps to Security Standards:

  • Center for Internet Security (CIS): Logging 2.1
  • NIST Cyber Security Framework (CSF): ID.AM-1
  • NIST 800-53: AU-12
  • CSA Cloud Controls Matrix (CCM): AIS-04, BCR-07, BCR-10, BCR-11, IAM-01, IAM-12, IVS-01, IVS-03
Cloud Root Account API Access Key Present

The root account is the most privileged user in a cloud account. API Keys provide programmatic access to a given cloud account. It is recommended that all API keys associated with the root account be removed. Maps to Security Standards:

  • Center for Internet Security (CIS): Identity & Access Management 1.12
  • NIST 800.53: AC-6
Cloud Account Without Root Account MFA Protection

The root account is the most privileged user in a cloud account. MFA adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to the cloud account, (s)he will be prompted for username and password as well as for an authentication code from an AWS MFA device. Note: When virtual MFA is used for root accounts, it is recommended that the device used is NOT a personal device, but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independently of any individual personal devices. (“non-personal virtual MFA”) This lessens the risks of losing access to the MFA due to device loss, device trade-in or if the individual owning the device is no longer employed at the company Maps to Security Standards:

  • Center for Internet Security (CIS): Identity & Access Management 1.13
  • NIST Cyber Security Framework (CSF): DE.CM-3
  • NIST 800-53: PM-11
Network Without Traffic Logging

Network Traffic Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your network. Network Traffic Logs provide visibility into network traffic that traverses the network and can be used to detect anomalous traffic or insight during security workflows. Maps to Security Standards:

  • Center for Internet Security (CIS): Networking 4.3
  • NIST Cyber Security Framework (CSF): PR.PT-4
  • NIST 800-53: AU-12
API Accounting Config Log Exposed

API Accounting Config logs a record of every API call made in your cloud account. These logs file are stored in storage containers. It is recommended that the security policy or access control list (ACL) applied to the storage container that stores the logs prevent public access to the logs. Maps to Security Standards:

  • Center for Internet Security (CIS): Logging 2.3
  • NIST Cyber Security Framework (CSF): PR.PT-4
  • NIST 800-53: AU-9
  • CSA Cloud Controls Matrix (CCM): IVS-01
Access List Exposes SSH to World (Security Group)

Access Lists (Security Groups) provide stateful filtering of ingress/egress network traffic to cloud resources. It is recommended that no security group allows unrestricted ingress access to port 22. Maps to Security Standards:

  • Center for Internet Security (CIS): Networking 4.1
  • NIST Cyber Security Framework (CSF): ID.RA-1
  • NIST 800-53: AC-17
  • CSA Cloud Controls Matrix (CCM): GRM-01
Access List Exposes Windows RDP to World (Security Group)

Access Lists (Security Groups) provide stateful filtering of ingress/egress network traffic to cloud resources. It is recommended that no security group allows unrestricted ingress access to port 3389. Maps to Security Standards:

  • Center for Internet Security (CIS): Networking 4.2
  • NIST Cyber Security Framework (CSF): ID.RA-1
  • NIST 800-53: AC-17
  • CSA Cloud Controls Matrix (CCM): GRM-01
Instance With a Public IP Exposing SSH

Security groups provide stateful filtering of ingress/egress network traffic to cloud resources. It is recommended that no security group allows unrestricted ingress access to port 22. Maps to Security Standards:

  • Center for Internet Security (CIS): Networking 4.1
  • NIST Cyber Security Framework (CSF): ID.RA-1
  • NIST 800-53: CM-7
Encryption Key Not Supporting Key Rotation

Cloud key management services allow customers to rotate the backing key, which is used to perform cryptographic operations such as encryption and decryption. Rotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed. It is recommended that key rotation is enabled. Maps to Security Standards:

  • Center for Internet Security (CIS): Logging 2.8
  • CSA Cloud Controls Matrix (CCM): AIS-04, BCR-11, DSI-01, DSI-03, DSI-06, DSI-07, EKM-01, EKM-02, EKM-03, EKM-04, IAM-02

Security and Compliance of Cloud

Applying Security To The Cloud Isn’t Simple, But It Is Possible And The Result Is Well Worth the Effort

By Christopher Porter, CISO, Fannie Mae