There are a lot of difficult problems in security, and as it turns out, moving everything to the cloud doesn’t magically fix them. In some cases it exacerbates them or slows down development and operations teams trying to build and deploy apps rapidly.
To help organizations maintain control of the security and management of their cloud infrastructures, a new company founded by a group of veteran security industry executives and technologists is introducing a new SaaS-based cloud management platform. The company, DisruptOps, has defined a set of what it calls guardrails, security and management controls that organizations can use to automate enforcement of policies. The goal is to enable DevOps teams to move quickly and do their jobs without running into security barriers.
“In a cloud environment, operating a scan and getting a giant report back doesn’t help me. It’s just more stuff I’m not going to have time to fix,” said Mike Rothman, president of DisruptOps and a principal at Securosis, a security research company.
“The guardrails concept is setting and enforcing a set of best practices. People need some granularity for different environments and technology stacks. It’s about fixing and remediating issues automatically.”
The DisruptOps platform is a SaaS product and it comes with a predefined set of controls. The platform performs continuous assessment of a given cloud environment and automates the change-management process to remove the time and resources it take to make manual changes. Among the ops that the platform can perform, for example, is restricting access to a company’s Amazon S3 buckets to known IP addresses.
"It’s about fixing and remediating issues automatically.”
Organizations can also use the platform to enforce multi-factor authentication for specific roles or to remove excessive privileges from a user’s profile. These are all things that security teams know they need to take care of, but can slip through the cracks as apps move to the cloud.
“Every company that is moving stuff to the cloud has these problems. The ones that moved faster have them more acutely,” Rothman said.
There are a handful of large organizations that have built capabilities like these on their own, but most companies don’t have the money or resources to do it internally. The DisruptOps platform is designed to take up the slack for the large population of organizations that can’t build dedicated teams to handle the task.
“We’ve embraced DevSecOps to ensure both our developers and operational teams integrate security into our applications,” said Mike Murray, CSO of Lookout, a mobile security firm. “We can’t afford to slow them down by requiring security functions to be built every time, nor can we risk a catastrophic failure caused by human error.”
Along with Rothman, the DisruptOps team includes CEO Jody Brazil, CTO Brandy Peterson, Rich Mogull, VP of product, and Adrian Lane, VP of development.