Ten Selection Criteria, from the Cavern eBook, 'Securing Your Hybrid Cloud'
1: Flexibility
The ease of implementation and the ability to span multiple workload environments (i.e., IaaS, PaaS, on-premise, VMs, containers, and in the future, FaaS), delivering a single view, is integral for mid-size and enterprise organizations. Ideally, if initially deployed on-premise, the same tools and applications will extend into the cloud. This implies that the platform architecture has been conceived from the start for hybrid environments. Flexibility also includes ease of installation from a cloud service provider’s marketplace.
2: Extensibility
DevOps-friendly open APIs open the platform to external data sources and sinks such as IAM/PAM, SIEM/UEBA, logging, threat intelligence, or a helpdesk. This out-of-the box cloud and API interoperability is essential to accommodate business-critical applications. APIs also enable integration into an organization’s CI/CD process and their DevOps tools. This of course relates to lifecycle container support that encompasses images, the container runtimes, and orchestration.
3: Responsiveness
As today’s security threats quickly multiply, minimizing the time required for implementation and time to baseline, as well as quickly identifying any changes in posture, has become vital. This implies a microservices-based architecture for elastic scaling, and an agentless architecture that adapts well to containers and function-based workloads as well as eliminating ‘agent’ bloat that impacts CPU, memory, and I/O.
4: Agility
Permitting the organization to initially sample what part of the network (fraction of workloads) is critical to them within a given time period, and then scale from there. The cloud provides this agility, and the security tool architecture must be designed to follow suit.
5: Deep Discovery
It’s essential to automatically identify existing and new workloads as well as changes to existing ones across multiple cloud service providers, and then the ability to properly group these by function. This discovery should be a simple process, leveraging existing AuthN and AuthZ policies to avoid having to create a special IAM policy every time.
6: Broad Policy Library
The platform must support a wide range of benchmarks / frameworks / guidelines and the creation of custom polices based on workload type. These policies should automatically apply to existing and new workloads. Broad coverage also relates to OSs, virtualization, and cloud service providers. Capabilities may include OS hardening, vulnerability and patch management, configuration management, whitelisting, and system monitoring.
7: Real Time Risk Scoring Across Infrastructure
Assets, once discovered and with policies applied, must be scored. This may be individually, across different slices of the infrastructure (i.e., location, subnet, department), by workload type across environments (i.e., cloud and on-premise), or by application (i.e., PCI, web). Scoring must be prioritized, available historically, integrated with 3rd party tools for automation or into an existing UI, and most importantly, correlated. For example, an organization operates a web server farm with 10 on-premise Red Hat Enterprise Linux servers and begins to transition to the cloud. Mid-way through the migration, five web servers are on Azure, and five on-premise. If tracking PCI compliance, the tool must generate a normalized view across both environments.
8: Container (Docker) Support
Docker technology has attracted the attention of many enterprise adopters -- if you are implementing containers either on-premise or as part of a cloud deployment, you need to ensure that their workloads are secure. And, if you bring in images from a registry, you need to ensure that these are not corrupted. Many of the same capabilities described in (6) apply here as well, such as hardening, scanning, and whitelisting. One way to look at container support is across a lifecycle that includes image scanning, run-time hardening, and security at the orchestration layer.
9: Cloud-agile Pricing
Reflecting the cloud compute and storage pricing model, it’s important to adopt a pricing model that has the exibility to meet changing requirements. This may involve a SaaS offering, or connecting the back-end of the platform to the cloud service provider’s billing engine, with an ability to charge to the minute. Alternatively, pricing may be abstracted but still agile, closer to the concept of committed and burst workloads, and analogous to a cellphone provider’s rollover-minutes model. In either case, this is a departure from existing static pricing.
10: Intelligence
Predictive analytics permits the platform to ‘predict’ the outcome of change, a ‘what-if’ analysis for con gurations and OSs, is crucial in today’s quickly changing environment. It is capable of bringing in data from 3rd parties via APIs to create a more correlated view of this change. Some customers describe this as a ‘virtual whiteboard.’
For more content from the eBook go to, https://www.cavirin.com/ebook-securing-your-hybrid-cloud