Today we kicked off the 17th edition of our annual VMworld conference with a string of exciting multicloud security announcements, including new CloudHealth Secure State capabilities to help customers combat cloud security risks and make cybersecurity intrinsic to the business strategy.
At VMware, it’s our firm belief that security should be proactively built into infrastructure and not bolted-on. Companies need to build a strong security culture that encourages collaboration between development, security, and operations teams. Together these teams should leverage security knowledge of both the infrastructure context and latest attack vectors to defend against potential security threats.
A recent study found that nearly 80% of organizations have experienced at least one cloud data breach in the last 18 months1. Given that the leading cause of security breaches in the cloud is infrastructure misconfigurations2, it’s more critical than ever to deploy a robust intrinsic security approach for the public clouds. To address this growing problem, last year, we announced the initial availability of CloudHealth Secure State (formerly known as VMware Secure State) with a mission of helping companies better manage public cloud security and compliance risks.
Cloud Security Transformation: Customer Stories and Results
As of today, CloudHealth Secure State protects over 56 million cloud assets and has helped organizations discover more than 10 million security and compliance risks in AWS and Azure. One of the organizations successfully driving cloud transformation is RSA, a company that is itself, a leader in digital risk management. RSA is using CloudHealth Secure State to reduce misconfiguration risks and get security, developers, and operations teams on the same page.
RSA has completed nearly a 100% rollout of Secure State across cloud providers. “Security findings we resolve every month are now trending up, which means the training, governance controls, and learnings are improving across the board. The result is happier developers, safer cloud environments, and the business is more confident than before,” said Julian Cooper, Security Engineering and Operations Team Lead at RSA.
"Security findings we resolve every month are now trending up, which means the training, governance controls, and learnings are improving across the board.” - Julian Cooper, Security Engineering and Operations Team Lead, RSA
As cloud environments become more distributed and dynamic, it’s critical that companies make security a critical part of their DevOps culture. Jobcase, a job marketplace and social platform provider is driving this cultural transformation by moving to a decentralized model for tech ops. “How do you ‘shift left’ on security without sacrificing agility or speed?” said Patrick Hetherton, Vice President of TechOps at Jobcase. “We use CloudHealth Secure State as part of that effort. It’s enabled even better collaboration between DevOps and engineering, and helped us put guardrails in place to develop safer, secure applications and embody a ‘develop quick, act fast’ mentality.”
Emerging Cloud Security Challenges
Today, we continue to engage with our customers and prospects, asking them how we can better help them improve their security posture and operationalize their cloud security. Based on several conversations, I can summarize most of their needs under three different categories:
- Multicloud visibility breadth and depth: An organization’s cloud security posture is only as good as its weakest security link. As our customers expand cloud usage to include new services and cloud providers, they want to ensure maximum security visibility and controls across these environments. As most cloud-native applications are built using multiple connected IaaS, PaaS, and SaaS services, even a single undetected misconfiguration can expose services and accounts that are otherwise properly secured. Last year, we made a significant investment to build a framework, system, and team to scale this work. We know that customers demand coverage and we’re now seeing the fruits of this effort with an impressive expansion of base services and insights we support.
- Education and accountability of developer teams: Cloud security is a team sport. The central security and operations teams must define security baselines and best practices for different services. But making sure that they're followed requires accountability and strong engagement from developer teams. Developers need an easy way to benchmark security, understand why something qualifies as a risk, and learn how to fix issues quickly. Cloud security teams need a flexible approach to enable developers without becoming a blocker to agility. It’s our mission to go beyond detection and really help solve the workflow and collaboration friction points between cloud teams.
- Faster way to fix known security violations: While most organizations want to shift left and address security issues proactively during application development, the reality is far from it. 92% of organizations admit that their cloud security programs lag behind business in terms of cloud maturity3. Most cloud security teams are just getting started, facing a mountain of security violations that need to be addressed in existing cloud accounts and applications. They need help with building new auto-remediation capabilities for fixing issues quickly to lower security risks across cloud environments.
CloudHealth Secure State: What's New
Today, I’m pleased to announce several new features and enhancements that address these needs and help even the largest enterprises operationalize cloud security through better visibility, simplified governance, and scalability.
Google Cloud Support For Comprehensive Multicloud Security Posture Management
CloudHealth Secure State helps public cloud teams get intelligent, real-time insights into resource misconfigurations across AWS and Azure cloud environments. The service now also supports Google Cloud, enabling users to extend security visibility and manage risk consistently across the three major public cloud providers.
Key features available to Google Cloud users:
- CIS Benchmark assessment of services such as compute, network, and storage
- Near real-time detection of resource changes and misconfigurations with the help of Google Cloud Logging service integration
- Graph visualization to improve understanding of security context including resource configurations, relationships, and connected risks
- Findings API to proactively detect security violations during development through CI / CD integration
- Easy onboarding of multiple projects with the help of organization level read-only roles
More Than 20 New AWS and Azure Services Including Kubernetes and Serverless Support
CloudHealth Secure State is rapidly adding support for new AWS and Azure services to give our customers the broadest visibility into the environments they secure. In the last few months, we’ve added support for more than 20 new services including Amazon ECS, EKS, Lambda, Elasticsearch, ElastiCache, Azure Kubernetes Service, Functions, and Cosmos DB. Support for every new service gives users an ability to search inventory, visualize resource relationships, track changes, and build custom security rules and actions, in addition to detecting misconfigurations based on pre-defined security best practices.
Projects General Availability To Improve Collaboration Between Security and Developer Teams
CloudHealth Secure State is announcing the General Availability of Projects functionality to help drive collaboration between central security and service owners. Projects is a foundational capability in the platform that enables security administrators to create groups of multiple public cloud accounts and provide respective account owners security visibility through role-based access controls in the platform.
This enables security teams to centrally define baseline security and compliance controls consistently for all projects, while distributing the responsibility of monitoring security violations for each project across respective service owners. Service owners can also request exceptions to central security policies, create reports, or build integrations at a project level. Overall, Projects help large enterprises manage cloud complexity through centralized governance and scale security best practices by empowering developer teams.
Custom Compliance Frameworks To Benchmark Organization Specific Security Standards
When clothes shopping, how often do you feel that if only a retailer could add just one extra pocket or slightly shorten the sleeves, you’d get the perfect fit you need? Custom compliance gives security standards the precision that tailor-made clothing lends to your wardrobe.
Industry standard security benchmarks and compliance frameworks are great for getting started on your cloud security journey. But as your security organization matures, you often need customization to enhance existing security standards. The desired use case may be to add custom rules to plug security gaps, build a super framework that combines multiple security and compliance standards, or precisely target a minimal set of rules to protect the specific services a team uses.
CloudHealth Secure State’s Custom Compliance Frameworks enable an organization to achieve this level of precision by grouping security rules from different sources and continuously benchmark security posture against their organization specific standards.
Azure Remediation Support To Build Security Guardrails and Automate Actions
With DevOps teams using pipeline automation to rapidly iterate and introduce hundreds of new infrastructure updates every week, cloud security teams need an automated approach to keep pace, verify security posture, and remediate issues. CloudHealth Secure State offers a flexible remediation framework to help cloud teams automate security actions in AWS environments without elevating account write privileges to the SaaS monitoring service.
CloudHealth Secure State is now extending remediation support to Azure environments, enabling users to proactively scale security and remediate thousands of misconfigurations at once. The solution is designed to help cloud security teams collaborate with DevOps teams and gain trust as they gradually scale best practices. With CloudHealth Secure State’s real-time detection and remediation support, users can now close the loop on cloud security and compliance to mitigate risks proactively.
- Zero-trust security for users to remediate misconfigurations without elevating Azure Subscription write-access to CloudHealth Secure State monitoring service
Remediation jobs that can be triggered using pre-defined, out of the box actions or custom actions defined as code
Remediation flexibility to quickly fix all resources that violate a particular security rule or selective resources based on conditions such as accounts, regions, or tags
Delegation of security to developers who can define new remediation jobs or leverage jobs published by security administrators to fix issues
Security and compliance guardrails to help developers avoid critical mistakes by auto-remediating new security violations instantly
Audit trail for centralized visibility into remediation progress and resource configuration changes
Open Source Remediation Jobs For Community Members To Collaborate and Scale Security
In line with our commitment to give back to the developer community, CloudHealth Secure State remediation jobs for AWS and Azure are now open sourced. The service continues to enhance the library of jobs available, while inviting all users to engage and contribute new jobs so they can help each other resolve findings faster. Each new job submitted to the GitHub community is also tested and verified by the product team, that way users can confidently embrace jobs that their peers are automating.
Attend VMworld Sessions and Learn More
We've curated a number of cloud security thought leadership sessions, CloudHealth Secure State technical deep dives, and demos for you at VMworld. The event this year is online and free to register. If you're looking for smarter ways to manage public cloud security and improve compliance, we definitely recommend you watch these sessions. You can also request a meeting with CloudHealth Secure State team directly.
1. "Most companies suffered a cloud data breach in the past 18 months," Help Net Security, June 3, 2020, https://www.helpnetsecurity.com/2020/06/03/cloud-data-breach/
2. "2020 Cloud Security Report [ISC2]," Cybersecurity Insiders, Accessed September 28, 2020, https://www.cybersecurity-insiders.com/portfolio/2020-cloud-secuity-report-isc2/
3. "Oracle and KPMG Cloud Threat Report 2020," Oracle, Accessed September 28, 2020, https://www.oracle.com/cloud/cloud-threat-report/