ESP @ WORKContinuous Security and Compliance

in the Cloud

Insight into real customer implementations.

Copyright © 2017Copyright © 2017

YOU’RE NOT ALONE - CLOUD SECURITY & COMPLIANCE ISN’T EASY

Evident.io works with hundreds of InfoSec and DevOps professionals of all experience levels across every industry to make cloud infrastructure security and compliance easier. Every organization struggles with the many challenges of cloud security like threat detection, misconfiguration management, risk remediation and compliance with industry standards.

In this guide you’ll find snapshots that describe what challenges our customers are facing and the solutions they are using to overcome them.

All ESP @ Work posts are anonymous because we respect that our customers are not always able to publicly share their success.

Copyright © 2017Copyright © 2017

Continuous Security for Continuous DevelopmentHow can you avoid security roadblocks?

Continuous deployment in the cloud is a lot to manage without automation. And, just trusting and hoping that you’re doing it right isn’t a great strategy.

If we are reliant on the security team to review everything, the workflow requires that the developers and administrators have to send all of their code or changes to the security team for approval. This creates a huge backlog, slowing down the development team and their deployment cadence. The business impacts are severe as time to delivery is prolonged.

The best, approach, is a shared security responsibility model, and an emerging mindset around DevSecOps. Like DevOps, DevSecOps seeks to achieve greater efficiency and productivity through team collaboration, but the DevSecOps approach incorporates security principles. This philosophy involves building automated security into applications so it's baked in rather than applied after the fact. Or even worse where it is retro-fitted later on.

ESP’s native integrations with the DevOps teams’ tools have enabled them to decrease the number of misconfigurations in their cloud without slowing down their continuous deployment processes. ThIs Multinational Gaming Company consider themselves to be “all-in” for AWS/Cloud and they have confidence in ESP to enable automation and compliance efficiencies across their business. The success of ESP has opened the doors to their expansion and migration to AWS globally.

“ESP makes it possible for me and my team to optimize our continuous development strategy securely. Both DevOps and SecOps teams are more agile and able to deliver software much

faster.”

Principal DevOps Engineer at a Multinational Video

Game Company

Copyright © 2017Copyright © 2017

Fast IT at the Speed of BusinessWhat is the biggest challenge facing retailers in meeting customer expectations?

Customers desire a relevant experience no matter how they choose to shop—full-price, off-price, in stores or online. With increased retail and customer expectations, businesses must adapt at a faster pace today than ever before, requiring retailers to offer seamless customer experiences in order to differentiate their brand.

With this in mind, the Fashion Retailer has developed industry leading customer value and CX innovation by leveraging “Fast IT at the Speed of Business”. Through a test and learn philosophy, they have come up with exciting new ways to make shopping faster, easier and more rewarding for their customers. Because of this proven success, their Executive Management has proclaimed an “all-in” strategy with AWS Cloud as the foundation for their IT operations.

In order to compete effectively and meet the constantly changing customer expectations in the retail and online shopping environments, the Fashion Retailer required agility, innovation, responsiveness and flexibility to meet their business needs. To meet those goals, they created a “Cloud Centre of Excellence” that provides the supportive framework to ensure AWS cloud resources are fully leveraged across their 50+ application teams, while ensuring complete visibility into their cloud infrastructure. It is critical that security, risk and compliance in their Cloud is maintained to meet their stringent corporate security standards and compliance audit requirements. Protecting the privacy of their customers needed to be baked in from the ground up as they moved more and more workloads to the cloud.

Evident.io helped enable continuous innovation with security at the speed of business. ESP’s ability to integrate into the DevOps tool-chain and provide visibility of risk into the Fashion Retailer’s continuous delivery DevOps cloud group gave their Cloud Team the confidence to accelerate their application migration and application development timelines.

“The customer is in control now more than ever with access to increasingly more information and choices. The

rapidly changing landscape challenges us to build on our culture of service in new and exciting ways that adapt to

our customers’ expectations.”

Co-President at a Leading American Fashion Retailer

Copyright © 2017Copyright © 2017

“Cloud-first” equals “Security-first”Is it possible to accelerate cloud adoption while maintaining security and improving customer experience?

A majority of airlines are leveraging the interaction of airlines and airports using cloud services worldwide to deliver new services to the industry - from delivering great passenger services and self-service facilities, estimating travel times, aircraft identifications, emission controls, traffic modeling, integrated fare management and customer loyalty programs. Even select critical operational tasks, such as gathering data from sensors (IoT) to manage maintenance records, have been passed off to the cloud.

The foundation of future growth for this global airline would be by reducing costs, growing revenue while continuing to improve the experience for their customers. The organization is relying on the AWS cloud for increased cost savings, substantial operational efficiencies and fast, agile delivery of enhanced, new customer services and revenue streams. Governance, risk, and compliance, along with privacy and security are critical to ensuring customer confidential data is not compromised along with protection of corporate intellectual property and the airline was in search of a tool to help them automate this process.

Because of their “cloud-first” strategy, their executive management partnered with Evident.io to integrate key practices and technology, ESP, to produce more secure software and support faster fixes to security problems while increasing visibility for the security operations and cloud teams. They were able to increase velocity of application migration & development by embedding ESP near real-time security capabilities into their DevOps pipeline. By creating security workflows through integrations with ESP’s security intelligence feeds into Slack, ServiceNow and others applications, the security operations and cloud teams have been able to achieve near real-time response to security incidents, configuration drift, and compliance deviation.

“Speeding up our adoption of new technology is a priority, but what’s truly exciting is the opportunity we have to use the relationships we have with our customers – and the insights they entrust to us – to shape service and create new businesses.”

CEO at a leading Global Airline

Copyright © 2017Copyright © 2017

Automating Policy Enforcement How can you adopt a cloud native DevOps model without sacrificing security?This organization’s north star is to automate everything that is automatable in the residential mortgage industry. This vision demands scalability, rapid development, highly secure and highly available solutions. With the adoption of ESP, they have been able to advance their cloud maturity by building out security as code to enable their DevOps team to move faster, securely.

It took about two months and involved two engineers fully dedicated to building out auto-remediation or automated policy enforcement. By scripting policy controls and remediation steps through ESP’s integrations with AWS SNS and Lambda workflows, the organization operates in the cloud where their security and compliance is continuous.

Their security automation strategy is so strong that every person who gets an AWS account gets an ESP account too. This enables the Online Mortgage Processing Company to advocate for a security upon entry as well as to have full visibility into who is changing what within their cloud environment.

“I give new people AWS accounts with confidence because

they get an ESP account, too.”

Staff Engineer, Cloud Platform at an

Online Mortgage Company

“You Build It, You Run It” Drives Team Efficiency

Copyright © 2017Copyright © 2017

Can security become a part of the corporate DNA?

This universal bank is transforming its security division with the ultimate aim of having one internal organization capable of responding to the various threats. A key part of their new strategy was to establish a joint operations center that will function 24/7/365. To enable continuous monitoring and alerting for configurations changes in their cloud, the CSO and CIO of the security division deployed Evident.io’s Evident Security Platform (ESP®).

ESP has increased the speed, reliability, and inclusiveness of information sharing, reduced duplication of effort and boosted protection for the bank’s members. With ESP, security analysts not only examine security alerts generated at the bank daily, but are also able to prioritize and coordinate a response to remediate vulnerabilities as they occur. Their holistic approach has brought benefits for the security team, has improved operational efficiency, and has demonstrated cost-saving advantages.

“We went through several stages, such as development

and implementation of a harmonized security strategy

across the organization, gaining greater

cross-organization visibility to improve speed to detect, respond and remediate

potential issues, and looking at the underlying technology.”

Chief Information Officer, Security Division at a Multinational

Financial Services Corporation

Lowering Risk Profile with Innovative Cybersecurity Vision

Copyright © 2017Copyright © 2017

How can healthcare IT professionals shift from capital-intensive technology investments to operational expenses that offer flexibility and allow focus on their core business objectives?The answer is public cloud. Today’s healthcare leaders want to direct capital into cash flow-generating activities and services that allow them to deliver improved outcomes for the customers and business partners while maintaining the highest standard for data privacy and security and are opting for an “all-In” long-term cloud strategy.

Cloud computing helps this Fortune 100 Healthcare Company focus on health care rather than data centers, digital real estate, and the highly expensive skilled professionals to maintain and operate them. Evident.io enabled this Fortune 100 Healthcare Company to accelerate the velocity of application migration & development to the cloud by embedding ESP near real-time security capabilities into their DevOps pipeline. With ESP doing the heavy lifting for security and compliance, the cloud enablement and information security teams are able to focus on creating innovative, agile, and collaborative cloud services for their customers and business partners.

Improving the Big Picture in Healthcare

“With ESP, we can stop hassling over the less

important IT stuff & start focusing on improving the big picture for our

patients and customers.”

CISO at a Fortune 100 Healthcare Company

Copyright © 2017Copyright © 2017

Reinventing Cloud Security in the Intelligence CommunityHow can cloud security help speed up the authority to operate (ATO) process?

“Imagine what we could do if we had ATO in one day, by implementing ESP we

are closer to achieving this than ever before.”

Chief of Cloud Security at a US Government Intelligence

Agency

Moving to the cloud means that you can implement changes to systems fast, but too many times delays happen because it takes too long to get the Authorization to Operate (ATO). Like many other intelligence agencies, this agency still has 80+% of their AWS workloads in dev/test environments and are struggling to move them quickly to production.

This agency is moving most of its IT operations to the cloud and is looking to “reinvent security”. The idea is to take advantage of cloud flexibility and re-architect their cloud infrastructure daily so that would-be attackers are confronted with a confusing operating environment and have limited time-on-target. Their Chief of Cloud Security initiated a concept of “Authority To Operate (ATO) in a day” to dramatically reduce the time to deploy cloud services into production.

By reevaluating the agency's Risk Management Framework (RMF), they have enabled their DevOps team to deliver software to the agency's mission at a faster pace never before possible. The agency implemented Evident.io’s tool called Evident Security Platform (ESP) to help them identify and monitor misconfigurations within their AWS infrastructure. Setup was quick and non-invasive as ESP requires ‘read-only’ access and is completely agentless.

Their cloud security team collaborated with Evident.io to build custom security control checks, risk reports and ticketing flows that map to the agency’s own internal processes. Evident.io’s Support and DevOps teams worked on adjusting the PSaaS CloudFormation templates to ensure that they would work the with Intelligence Community (IC) customer’s unique security and deployment constraints.

ESP enables the intelligence agency to move their AWS workload to production (ATO) faster. ESP provides the cloud security and IT operations teams with up-to-the-minute actionable reports detailing high, medium and low risks with recommendations for steps to remediate the vulnerabilities discovered. By integrating ESP alerts into Jira, the agency is able to identify and prioritize what work needs to be done and by whom, i.e. the broader Security, DevOps and IT teams. As a result, their overall cloud security posture has improved and they can securely operate at the “speed of cloud.”

Copyright © 2017Copyright © 2017

Simplifying NIST 800-53 Compliance in GovCloudWhat was the biggest business challenge facing organization's selling to Federal entities? To utilize IaaS in public cloud for sensitive workloads, organizations have to be compliant with US regulations, and unfortunately there are limited options. GovCloud is one such solution that provides all the benefits of the public cloud, with the security certifications and requirements that make continuous compliance possible.

In order to sell to Federal entities, this collaborative software company needed to be FedRAMP ready, and Evident.io is a crucial partner to enable them to accomplish this. Their security team and operations teams leveraged the Evident Security Platform (ESP) as a tool to help them achieve this. As a federal solutions provider, they have a true understanding and appreciation of the automated compliance capabilities that come out of the box with ESP. With ESP they were able to extend their infrastructure into AWS GovCloud, reduce the manual effort required to achieve insights into their security vulnerabilities and achieve compliance with NIST 800-53. ESP’s one-button compliance reports that indicate pass/fail status for all of the testable infrastructure controls, save the organization time and money in validating compliance and providing evidence for auditors.

“What we do would be impossible without Evident.io” - Principal Architect for FedRAMP compliance at Collaborative Software Company “at the very least, it would be difficult, [and] expensive to develop on our own”.

“The Evident Security Platform (ESP) and the NIST Compliance Report provides

practitioners, executives and auditors the information they need to manage and demonstrate compliance. Having the

ability to drill down from a compliance report to a control and then down to the

actual risks in a clear and easily understandable way gives 3rd parties

confidence in our security management practices."

Principal Architect for FedRAMP at a global Collaborative Software Company

Copyright © 2017Copyright © 2017

HIPAA & NIST Compliance for SLEDHow can publicly funded education institutions benefit from secure cloud adoption?State and local education institutions are under pressure to modernize their IT infrastructure by migrating to the cloud. While the cloud offers freedom from capital-intensive technology investments and flexibility enabling them to focus on their core research, education and treatment objectives, security can often be a major roadblock in their journey to the cloud.

At the same time, as a teaching hospital, they are required to meet HIPAA and NIST compliance standards in order to minimize risk and exposure to customer data stored in the cloud. Keeping users data private is something the school takes very seriously.

This School of Medicine has grown to become an internationally recognized leader in medical education, research, patient care and public service and is affiliated with other top-ranked teaching hospitals. Their mission is to improve health and healthcare by creating world leaders in health and science to heal humankind one patient at a time.

With ESP they were able to reduce the manual effort required to achieve insights into their security vulnerabilities and achieve compliance with HIPAA and NIST. ESP’s one-button compliance reports that indicate pass/fail status for all of the testable infrastructure controls, save the organization time and money in validating compliance and providing evidence for auditors and prospect customers alike.

“As a publicly funded educational institution and

a teaching hospital, we have no shortage of

challenges, ESP helped alleviate both budgetary

and compliance headaches as we move

more of our workloads to the cloud.”

CISSP Security Analyst Office of Compliance Services –

Information Security at a Public University

Copyright © 2017Copyright © 2017

ABOUT EVIDENT.IO:Security and compliance for public clouds like Amazon Web Services and Microsoft Azure require a modern and agile approach. Evident.io was founded to make cloud infrastructure security easier and accessible to organizations of all sizes, in all industries. By delivering the fastest security and compliance intelligence available to DevOps, cloud engineers and IT/Risk managers in a friendly, consumable manner, we help you bridge the gap between agile and airtight. The Evident Security Platform (ESP) is an agentless, API-centric platform that combines detection and analysis of misconfigurations, vulnerabilities, and risk, providing a continuous global view and the actionable intelligence needed to rapidly remediate and secure your entire public cloud. ESP can be deployed to even the most complex environments in minutes.

CONTACT US: 7901 Stoneridge Dr., Suite 150, Pleasanton, CA 94588(855) 933-1337 | sales@evident.io