Creating a Cloud Security Strategy with Culture and Technology

Companies like Discovery Communications, Twilio, 3M, General Electric, Fannie Mae that use DivvyCloud successfully not only embrace technology, but also make the cultural and organizational changes necessary to realize the full benefit of securing their enterprise using an automated monitoring, analysis, and remediation tool.

In order to take full advantage of the cloud and containerized computing paradigm, companies need to have the right people, processes, and tools in place in order to execute against the vision. Yet many companies will incur a great deal of expense hoping to achieve the goal only to come up short. These companies spend money on all kinds of software and training, yet they overlook the cultural and personnel changes necessary to fully adopt computing on the cloud.

Companies that have experienced success moving to the cloud have come to understand that you can’t simply buy your way into a digital transformation. A successful digital transformation requires an investment of time and effort from a people perspective. It must have buy in from the top in order to have a sustainable effect as it’s about moving from a command and control management style to one based on an operational theme of trust but verify.

Moving from Command and Control to Trust But Verify
The introduction of cloud computing and containers has brought about a significant change in the way large enterprise customers approach information technology. They’ve gone from having a centralized IT department that’s focused on controlling everything — from user access to server, storage and network provisioning — to a self-service model in which developers create the computing infrastructure as they need it.

This transformation has forced system administrators to move away from being the sole protectors of the IT infrastructure into a role more akin to that of Systems Management Consultant who is concerned with ensuring that the business is getting maximum value from its investment. Thus, while the operational sensibility in the past has been about Command and Control, today the watch words are Trust But Verify. However, for many companies, making this transformation has not been easy.

The notion of letting developers provision environments independently is a hard pill for many system administrators to swallow. Some never make the transformation. But those who have see the value of making automated monitoring and remediation technology part of the IT infrastructure. Allowing developers to have more independence promotes the agility, speed, innovation and sense of experimentation required for modern businesses to maintain a competitive advantage.

Providing a robust set of automated monitoring and remediation tools gives businesses the ability to ensure that developers are acting wisely and not creating risks that are preventable. Supporting a theme of “Trust But Verify” means having a culture that allows developers the freedom to experiment and innovate while also giving systems personnel the tools they need to make sure that developers are working safely. As such, automated monitoring and remediation tools are indispensable. But, as with any tool, they must be used wisely — otherwise the anticipated benefits of the technology can become unforeseen roadblocks. This is particularly true when it comes to configuring a remediations tool’s severity policies.

Want to read more about real-time remediation? Read Automation You Can Trust: Remediating Cloud Misconfigurations and Policy Violations in Real-time.

DivvyCloud minimizes security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes). First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.