ISMS Consulting

Leveraging OOTB “Policy as Code” for Cloud Security Posture Management

ep105.5
Reading Time: 2 minutes

One of the major challenges with cloud security is managing security across all the different pipelines that are active in a large organization. How can you efficiently enforce similar policies across all these different DevOps scenarios, while allowing adequate flexibility for “individual differences”?

To discuss the latest cloud security posture management (CSPM) capabilities and their use cases, a recent episode of The Virtual CISO Podcast features Fausto Lendeborg, co-founder and Chief Customer Officer at Secberus. The podcast host is John Verry, Pivot Point Security CISO and Managing Partner.

Why OOTB policies?

Secberus provides over 600 policies out of the box for customers to get started with. Each of these can be cloned and edited and is completely customizable around factors like compliance regulations and risk severity.

For example, if you’re worried about configuration issues in the public cloud (and who isn’t?), you can quickly setup automated policy checks based on the built-in policies.

You can even leverage the built-in policies to create a compliance validation check against a major regulation like HIPAA or PCI-DSS. It’s conceptually similar to the AWS Security Hub in that regard, for example.

“It’s a dual-facing value proposition,” notes Fausto. “’I’m gonna turn on a bunch of stuff automatically—thank you for doing that for me.’ But everyone has a unique snowflake environment. Everyone’s business and application contexts are different. So, people are going to also want to customize this [policy] to their specific context to get the most value out of it.”

 

Attribute-based access control

Secberus offers a feature they call attribute-based access control, which dynamically syncs with any identity management solution. It can understand the attributes that each engineer has access to, and from there deliver a tailored dashboard.

Say you have Engineer X working on Application 1 and Engineer Y working on Application 2. When either developer checks their Secberus dashboard, they will see only the policy information (e.g., violations) pertaining to the application they’re working on.

Similarly, you can tailor dashboards to show real-time or scheduled reporting on regulatory compliance. Or you can add custom integrations to share the Secberus data in other tools.

Policies as code

When the Secberus platform generates policy as code, it uses the REGO language.

“There was a huge project out of the Cloud Native Foundation called Open Policy Agent that built REGO and it has a huge community,” shares Fausto. “REGO is a very easy language to write for an engineer. With 4, 5, 6 lines of code we can read or write through the logic.”

“Create any custom framework, any custom logic, any custom process and automation, and then do that multi-cloud,” Fausto adds.

What’s next?

To listen to the podcast with Fausto Lendeborg, Secberus’ Chief Customer Officer, click here.

Wouldn’t it be great if you could be more proactive about cloud security? This blog post describes a cloud-native approach to security analytics and why it outperforms most SIEMs: How Attack Surface Management Can Help Reduce Supply Chain Security Risks

ARM General Presentation
Download Pivot Point Security ARM General Presentation.

Download our ARM General Presentation

Back to list

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *