Security News

It's no secret misconfiguration is now the cloud's biggest security worry, although tying IaC to specific cloud security incidents is much harder to assess - misconfiguration can happen via any interface and not only IaC. One way to grasp the scale of the issue is to infer the answer by looking at the IaC templates on public repositories such as GitHub - an approach used by Palo Alto's Unit 42 earlier this year when it uncovered 199,000 insecure templates, including many high and medium-level flaws that would lead to serious misconfigurations. "Misconfigured cloud resources are likely the main root cause for unintended exposure of sensitive data for cloud native companies. Misconfigured public interfaces, exposed secrets, and encrypted databases are just a few very common examples where companies have made bad calls when configuring their cloud infrastructure."

Public cloud adoption continues to surge, with roughly 83% of all enterprise workloads expected to be in the cloud by the end of the year. While cloud adoption has transformed the way applications are built and managed, it has also precipitated a radical rethink of how to approach security.

Security is primarily your responsibility – with help from the cloud provider.

The Cloud Security Alliance and the International Systems Security Association announced that the two parties have signed a memorandum of understanding to collaborate on a variety of initiatives with the goal of both supporting and strengthening the cybersecurity profession. "Our partnership with ISSA heralds an exciting opportunity for both organizations to collaborate and bring our strengths and unique sets of expertise to the table to benefit cloud and cybersecurity professionals across the spectrum," said Jim Reavis, co-founder and CEO, Cloud Security Alliance.

IBM has announced a definitive agreement to acquire cloud cybersecurity posture management solutions provider Spanugo. Spanugo's technology allows organizations to demonstrate compliance in real time, while also helping them continuously improve their cloud security to ensure that attacks can be repelled.

FireEye, the intelligence-led security company, announced the availability of FireEye Cloudvisory, a control center for cloud security management across any security environment - private, public and hybrid. Fully integrated into the broader FireEye cloud security portfolio, Cloudvisory now offers customers instant deployment across their cloud infrastructures, and further capabilities in security analytics through FireEye Helix and advanced threat detection through FireEye Detection On Demand.

Cloud security company Ermetic emerged from stealth mode this week with a platform that automates detection and remediation of identity and access-based risks. The company's analytics-based platform, which is available immediately, is designed to automatically discover all identities in the cloud, and analyzes policies and permissions in an effort to identify and remediate access risks.

Companies are increasingly dealing with a slew of security and compliance issues across cloud services and containers - from AWS to Azure to Google Cloud. Infrastructure-as-Code security capabilities can help companies shift their cloud security "Left" to improve developer productivity, avoid misconfigurations and prevent policy violations.

Boston-based security analytics and automation solutions provider Rapid7 said on Tuesday that it has agreed to acquire DivvyCloud, a provider of security and compliance automation solutions for public cloud and container infrastructure. Rapid7 will pay roughly $145 million in cash and stock to acquire the company.

Cloud security company Accurics on Tuesday emerged from stealth mode with $5 million in funding and a free tool that allows organizations to quickly assess their risk posture. "Our goal in developing the Accurics platform was to protect the full cloud native stack throughout the DevOps lifecycle, from the moment it's defined in code and throughout the lifecycle of infrastructure being employed in production," said Piyush Sharrma, co-founder and CTO of Accurics, who previously served as head of engineering at Symantec.