Continuous verification is a proactive security process in which cloud assets are monitored at the time of deployment and continuously throughout their lifecycle in order to detect security issues and the impact the security issues have on other cloud assets in a business´s inventory.
Most Cloud Service Providers provide a range of security solutions that monitor activity in the cloud and alert you to security issues such as vulnerabilities and misconfigurations. Unfortunately, most solutions alert you to security issues retrospectively - by which time the damage might already have been done - and only provide you with limited visibility into the causes of the issues.
The consequences of limited visibility in respect of cloud security are that it can take longer to resolve security issues, the “fixes” used to resolve the issues might not be effective due to something you are unable to see, and the “fixes” - or the lack of effective ones - might impact the functionality of other assets in your cloud inventory.
These problems can also be exacerbated by Cloud Service providers´ security solutions working independently of each other (i.e. Amazon Detective/Inspector/Macie/GuardDuty). It can often be the case that, not only do you never see your security issues in context, your security team can be overwhelmed by false positives.
How Continuous Verification Overcomes these Problems
Continuous verification overcomes these problems by attaching agents to assets at the time of deployment. The agents check the configuration of each asset against a configuration policy and monitor the asset´s performance throughout its lifecycle in order to detect unusual behaviors and other anomalies that agentless solutions would be unable to see.
This process not only helps mitigate data breaches in the cloud, but also gives you total visibility into what assets you have across different accounts, regions, and clouds. This means that, rather than observe security issues as isolated incidents, you can see how assets are interconnected and how a change in the configuration of one asset can elevate the security risk of other assets.
To further enhance your security posture, continuous verification should be used in conjunction with policy-driven automation. Policy-driven automation enables you to apply pre-configured actions when a security policy is violated. For example, you can revoke user access if the continuous verification process identifies an unusual behavior such as an account login from an unrecognized IP address.
Using Continuous Verification Prior to Deployment
The continuous verification process can also be used to accelerate deployments by integrating the process into the development pipeline - ideally between the build and staging processes. This has the benefit of checking the configurations of targeted cloud infrastructures for vulnerabilities and misconfigurations at a stage when - if any are found - they are quick and easy to resolve.
The process is similar to policy-driven automation inasmuch as - when using a solution such as VMware Secure State - you can apply a set of rules which act as guardrails within which DevOps teams can operate. The solution compares the configuration of the asset in its pre-deployment stage and flags any issues it finds - preventing delays at later stages when the issues may be more complex to resolve.
It´s not difficult to see why continuous verification has been described as the “missing link in the CI/CD process”, and if you would like to know more about how continuous verification can mitigate data breaches in your cloud environment, do not hesitate to get in touch. Our team of cloud experts will be happy to answer your questions and organize a free demo of VMware Secure State in action.