No one can deny that cloud adoption is increasing at a fast rate. Though moving to the cloud offers many advantages—such as speed of development, cost savings, and reduced overhead—one of the implications of adoption is that customers must change the way they approach security to adapt to hybrid and fully cloud infrastructure.
As this happens, security practitioners have to consider how to use their current on-premises tools in both hybrid and fully cloud environments. The onus is on security vendors and cloud platforms such as Amazon Web Services (AWS) to help customers secure their new environment.
The impact of vulnerability management
For many years now, vulnerability management has been a cornerstone of on-premises security programs. This was pretty straightforward—you scan whatever is within the four walls of your organization, and more importantly, you knew what you were scanning because you owned it.
With the advent of the cloud, this practice must change due to the ephemeral nature of cloud-hosted assets, shared services, and the shared security model. All of a sudden, you don’t need to scan racks of network equipment, but knowing exactly what you do need to scan becomes much more difficult.
Rapid7’s flagship vulnerability management product, InsightVM, has evolved in many ways to help customers secure their hybrid and cloud environments. We partnered with AWS to create a pre-authorized scan engine that would satisfy the need of our customers to scan their cloud and on-premises environments with a single architecture. We have also worked closely with AWS to ensure the scan engine is secure and doesn’t open up attack vectors to their shared infrastructure and shared services that could affect customers platform-wide.
We sat down with two of our customers to discuss how their organizations benefit from using the InsightVM pre-authorized scan engine.
Mike Riella, Guidewire
Mike Riella from Guidewire—a global provider of software products to the general insurance industry—moved to AWS in 2012 and is currently hosting approximately 5,000 workloads in 130 accounts.
“We were able to easily deploy the pre-auth scan engine within our VPCs,” Riella said. “And because the pre-auth engine is black box, it made it easier to sell to internal stakeholders.”
Being able to discover the ephemeral assets via the integration with the AWS Discovery API is key to Guidewire understanding which assets are live within its VPCs. Once the assets are known, InsightVM is able to scan that asset as it gets spun up, which provides a real-time view of the organization’s risk at any given time.
Another benefit of the pre-authorized scan engine is that there is no need to submit to AWS for approval every time Guidewire wants to run a scan on a cloud-hosted asset. This greatly helps reduce the operational burden on the security team so they can spend their time doing more impactful things.
Being able to take away the burden of owning and maintaining their base infrastructure was a key consideration of moving to the cloud for Riella.
“The shared security model helped greatly with this because we had the confidence that AWS would deliver secure infrastructure for us to build on and allow us to focus on our strengths of delivering quality product to our customers faster and more securely”, he said.
Dominic Pace, CognitiveScale
Dominic Pace, Director of Information Security at CognitiveScale—the leader in industry-specific augmented intelligence (AI) software—leverages the InsightVM pre-authorized scan engine to scan AWS accounts across the United States and Europe.
As a company that helps its customers deploy AI systems faster than before, uptime, speed, and flexibility are key. CognitiveScale’s distributed environment required a flexible and cloud-friendly security solution that would allow them to maintain a high level of protection while also ensuring availability.
“We chose to bring in the InsightVM solution because of its ability to support AWS via the pre-authorized scan engine, the integration with the AWS Discovery Service, and the CIS benchmarking ability,” said Pace.
Pace went on to detail how they deployed InsightVM within their environment. According to Pace, the easy deployment and console pairing process was a win for his team. “While using InsightVM in conjunction with the AWS platform, we were able to optimize the deployment by peering a dedicated VPC containing only the pre-authorized scan engine with all of our other VPCs. In addition, we were able to leverage security groups to organize the way that we scanned our environment.”
CognitiveScale also relies on InsightVM’s Container Assessment capabilities with Docker. “The ability to discover and assess containers in real time is a major benefit because many of our services are run on containers,” Pace concluded.