Sonrai Security today added a Governance Automation Engine to Sonrai Dig, a platform that continuously identifies and monitors the relationship between identities and data that exist within a public cloud.
Company CEO Brendan Hannigan said the Governance Automation Engine added to Sonrai Dig makes it possible to maintain least privilege, enforce separation of duties, eliminate risks and lock down critical data. Workflow and role-based alerts and recommended actions can be automatically applied to remediate security issues using bots provided by Sonrai Security, he said.
The need for such capability is especially acute in IT environments that have embraced microservices, Hannigan said, noting as IT organizations deploy microservices-based applications, it’s become impossible for IT teams to track all the dependencies that exist.
Sonrai Dig provides a way to discover and analyze all those dependencies using a graph engine to determine overall security posture, while the Governance Automation Engine makes it possible to enforce policies defined by the cybersecurity team.
Hannigan said IT organizations are being asked to secure integrated services that can easily be a toxic combination. Permissions granted to one microservice can be extended to other services in ways a cybersecurity team never intended. Cybercriminals, meanwhile, are getting more adept at identifying dependencies they can exploit.
Sonrai Dig currently supports Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP) and various distributions of Kubernetes, all of which have well-defined application programming interfaces (APIs) that a graph engine can invoke to discover relationships and misconfigurations. Because most of the services invoked on these platforms are provisioned by developers, misconfigurations have become a major cybersecurity issue when, for example, ports to cloud database or storage services have been left open.
As organizations embrace best DevSecOps practices to address these security issues, Sonrai Dig and Governance Automation Engine will help define the swim lanes around which cybersecurity and application development teams will collaborate, Hannigan said. In theory at least, developers are supposed to be taking more responsibility for implementing controls defined by cybersecurity teams. However, it’s also clear cybersecurity teams need to be able to verify those controls have been implemented.
It’s still early days as far as adoption of best DevSecOps practices is concerned, but the rise of microservices is likely to force the issue soon. Microservices enable developers to build applications that are both more flexible and resilient. The challenge is, not only does each microservice have its own API, but it’s likely the microservice will be ripped and replaced by another microservice. The more microservices are constructed using containers such as Docker, the easier it becomes to replace them. That eventually should lead to more secure applications being deployed, because the need to patch an entire monolithic application with each new vulnerability is eliminated.
That assumes, of course, IT organizations have the tools available to secure the overall cloud-native environment in the first place.