DivvyCloud Energy & Utilities Industry Guide

Moving to and thriving in the cloud is fraught with challenges for organizations in the energy and utilities industry.

Compliance
Deregulation in this context does mean that energy and utility companies aren’t subject to compliance. Rather, achieving, maintaining, and substantiating compliance is of critical importance. Depending on the type of services, information, or data that a company handles, they could be subject to comply with:

• PCI DSS
• SOC 2
• FedRAMP
• NIST 800-53
• NERC CIP

This list is not exhaustive, and regulatory compliance requirements are likely to evolve for the foreseeable future. It’s important to remember that compliance with any framework is the responsibility of the CSP customer, not the CSP. Whether you’re using AWS, Azure, GCP, or any other CSP or a combination of CSPs, you as the customer are responsible for configuring and using cloud services securely and in a manner that complies with applicable standards relevant to your business.

We’ve provided an overview of how compliance is relevant to enterprises in the energy and utilities industry. Let’s now focus on what features or capabilities you should look for and leverage in a cloud security tool to support growth and innovation. There are four key areas that will help ensure successful management of your cloud security:

• Visibility
• Unified Posture
• Efficiency and Automation
• Scalability and Adaptability

Visibility
Visibility into cloud environments allows organizations to identify, assess, prioritize, and remediate risk (and automate this entire chain). It is the cornerstone on which strong cloud governance and continuous security are built. Having a complete picture of every cloud service is one of the only ways you can safely identify all security considerations. DivvyCloud by Rapid7 includes capabilities for automated discovery and inventory assessment across CSPs and containers including:

• Infrastructure as a Service, Platform as a Service, and Serverless/Function as a Service support.
  • AWS, including AWS GovCloud and AWS China
  • Microsoft Azure, including Azure GovCloud and Azure China
  • GCP
  • Alibaba Cloud
• Containers as a Service
  • Amazon Elastic Container Service for Kubernetes
  • Azure Kubernetes Service
  • Google Kubernetes Engine
• Private Cloud
  • Kubernetes
  • OpenStack

With support for a range of platforms, DivvyCloud by Rapid7 can help identify gaps and issues across all cloud assets and resources. Armed with this information, companies can ensure the right policies are in place to establish and maintain continuous security and compliance.

Unified Posture
Establishing a unified posture has a number of significant advantages. It’s a great way to cut down on the time spent cataloging resources, and more importantly, it ensures a complete and accurate picture of the assets that need to be evaluated. With a tool like DivvyCloud, an organization has a single interface to view data and make decisions based on a complete understanding of the IT systems, resources, and configurations, regardless of CSP or resource type. Having a consistent, unified approach will also allow you to understand the security and compliance posture across the entire scope of cloud and containers through a standardized asset inventory.

For example, DivvyCloud has developed standard terminology to describe cloud services across cloud environments. In DivvyCloud, you will not see provider-specific resource names like S3 Bucket (AWS), Blob Storage Container (Azure), Cloud Storage (Azure), or Swift (OpenStack). Instead, DivvyCloud uses the normalized terminology “Storage Container” for all of these. By offering this standardized asset inventory, an organization can apply a unified policy and automated, real-time remediation across all of the environments, both existing and future. Unified visibility and monitoring is particularly useful for energy and utility companies, which often have diverse business units that use different tools, systems, and different CSPs.

Efficiency and Automation
Another critical element to evaluate for any tool that you may select to handle your cloud security is the ability to provide efficiency and automation so that you can easily manage your cloud environment and direct your attention to the handful of issues that require manual intervention. In the cloud, communication requirements are far more diverse because of the scope of user and user ability. Most tools are accessible to users regardless of their skill level. Having the correct cloud tools, particularly when dealing with security, can help empower task owners, regardless of their skill level.

With a tool like DivvyCloud, you can provide guardrails for cloud environments, ensuring that your teams can provision within the limits of the policies you’ve defined. In addition, with automation, you can achieve both security and speed at scale. With API polling and an event-driven data harvesting approach to identify risk and trigger remediation, DivvyCloud provides fast detection of changes that enables automated remediation to occur in real time.

Scalability and Adaptability
Scalable cloud security solutions that can adapt to new and updated requirements, now and in the future, are essential for those in the energy and utilities industry. With the quantity of cloud resources that most organizations have, it is often difficult to maintain continuous visibility—let alone security—without the appropriate tools. Failure to have the ability to change and adapt to new requirements can result in noncompliance, misconfigurations, and a host of other problems. In any of these situations, the worst case scenario is always the looming threat of a security breach.

By investing in an enterprise cloud security tool like DivvyCloud, you can protect your organization and adapt to the future challenges of cloud security with features like:

• An extensible platform with API integration capabilities for third-party tools
• Support for hybrid-cloud, multi-cloud, and containers
• Reporting capabilities
• Visibility based on a variety of user types ranging from view-only monitoring to complex administration
• Built-in policies and compliance tools along with limitless customization capabilities
• Proof of compliance for numerous compliance standards

The ability to leverage smart, adaptable enterprise capabilities can help you face all of the challenges we’ve outlined throughout this paper. Efficient, scalable tools will serve you now and into the future as laws, regulations, and standards evolve, regardless of which CSPs you use or your organizational size.