This is the fourth of a new five-part series of articles developed by TAG Cyber in conjunction with Sicura to offer insights and guidance into modern DevOps security using automated and integrated support.
The security challenges that emerge during DevOps are best addressed through use of intelligent automation. Enterprise teams must therefore identify and implement effective automated controls to reduce software development risk. The commercial Sicura platform[2] demonstrates this approach with emphasis on bridging the gap that exists between engineers and security teams.
In the sections below, we outline the salient aspects of the Sicura platform and how it drives greater visibility into security posture – with the goal, ultimately, of reducing cyber risk, increasing operational efficiency, and minimizing operational costs. It does this through functional support for security and compliance enforcement, remediation of server and system misconfigurations, and maintenance of a target security baseline.
The Sicura platform provides actionable guidance for remediation of vulnerabilities based on security standards such as the CIS Critical Security Controls.[3] This includes remediation of policy violations, which can range from simple issues such as poor password selection, to much more complex misconfigurations, such as those which arise in modern multi-tenant public cloud application environments.
The platform integrates with automated configuration management tools such as Puppet[4] to support the enforcement of security requirements in the systems located across a customer environment. A web interface allows for on-going visibility into systems so that the customer can understand the status of servers at all times. Reports can be generated with details and summary information on a customized console (see Figure 1).
Figure 1. Sicura Console Interface
The types of security actions taken based on Sicura scan results will obviously vary based on what has been observed, but remediation of misconfigurations is required not just for continuous compliance, but also to deal with the live threats targeting modern cloud workloads. This is an important point, because it highlights the dual role of DevOps security for both compliance coverage and threat protection.
Perhaps the greatest advantage of the Sicura platform is its support for maintenance of a desired security baseline. Such targeted configuration could result from internal or external compliance objectives, or it could stem from a cyber risk assessment that dictates a desired level of functional control and assurance. In either case, the baseline should be maintained on a continuous basis to avoid coverage gaps that could occur after a review or scan.
By Dr. Edward Amoroso, TAG Cyber CEO
About TAG Cyber
TAG Cyber is a trusted cyber security research analyst firm, providing unbiased industry insights and recommendations to security solution providers and Fortune 100 enterprises. Founded in 2016 by Dr. Edward Amoroso, former SVP/CSO of AT&T, the company bucks the trend of pay-for-play research by offering in-depth research, market analysis, consulting, and personalized content based on hundreds of engagements with clients and non-clients alike—all from a former practitioner perspective.
Copyright © 2022 TAG Cyber LLC. This report may not be reproduced, distributed, or shared without TAG Cyber’s written permission. The material in this report is comprised of the opinions of the TAG Cyber analysts and is not to be interpreted as consisting of factual assertions. All warranties regarding the correctness, usefulness, accuracy, or completeness of this report are disclaimed herein.
Next week we'll be back with Part 5 of the TAG Cyber Sicura series. Interested in learning how can Sicura can make your environment more secure and your DevOps team more efficient? Get in touch.
Ready to maintain secure and compliant infrastructure focused on cost, automation, and consistency?