Prevent Cloud Breach Without Slowing Innovation

Many organizations must move hundreds or thousands of applications to public cloud within the next 12–24 months. Whether pursuing a lift-and-shift strategy, or rearchitecting applications using cloud-native services, most have invested in DevOps practices to improve the speed and quality of software delivery. Regrettably, the same cannot be said for cloud security practices.

That’s not to suggest that organizations have not heavily invested in cybersecurity. On the contrary, a recent cloud threat report found that 78 percent of companies use more than 50 discrete cybersecurity products, with one in three using more than 100 cybersecurity tools1

However, almost all public cloud breaches stem from misconfiguration of cloud services. Traditional cybersecurity tools were not designed to prevent, detect, and correct misconfiguration, nor do so at the speed and scale of public cloud. And existing CSPM, CWPP, and infrastructure-as-code scanning tools are either fragmented — meaning they only cover part of the cloud application lifecycle, or they are immature — meaning their security domain and control coverage is extremely limited. This leaves organizations in the unenviable position of having to either throttle cloud innovation or accept the increased risk of a cloud breach. Neither is acceptable.

It’s Time for a Change

Cloud security must fundamentally change. However, real change can be challenging and often viewed within cybersecurity as a catalyst for uncertainty and risk. But since public cloud has essentially introduced a new business operating model, cybersecurity must respond in kind. Fortunately, many CISOs have been busy knocking down walls and building bridges within organizations to drive value and change the perception of cybersecurity from business obstacle to business enabler, which empowers digital transformation with confidence.

Each year, Gartner recognizes a small number of innovative technology companies as Cool Vendors. Gartner Cool Vendors research is “designed to highlight interesting, new and innovative vendors, products and services.” These are companies that aspire to make real change by solving foundational challenges faced by the customers and markets they serve. Concourse is thrilled to announce that we were recently named a Gartner Cool Vendor in Cloud Computing:

 

Click here for complimentary access to the research

 

“We are honored by this recognition and believe it validates our leadership in Security-as-Code to change the game in cloud security,” said Scott Crenshaw, CEO of Concourse Labs. “With Concourse, companies can now rapidly move hundreds or thousands of applications to public cloud safely, while systematically preventing the number one source of cloud breaches and increasing the productivity of security and development teams.” 

What Makes Concourse Cool?

Concourse is the only Security-as-Code solution that enables the rapid detection and remediation of misconfigured cloud services continually at every stage of the cloud application lifecycle. By using one comprehensive policy architecture, organizations can embed security far left, into source code management tools like GitHub and Bitbucket, to prevent non-compliant code from being deployed and continuously monitor runtime environments for drift, attack, and misuse. This eliminates security gaps and removes friction, which result from having to use multiple solutions, each with its own policies, control checks, and GUIs.

“You don’t need to have a person doing a security review you have the software doing the security review on your behalf. The content of that review would still need to come from people with expertise, and that could be either expertise that you’re buying as part of the software product, or it could be your own professionals’ expertise that’s getting scaled because it’s being encapsulated into the software itself,” said Don Duet, co-founder Concourse Labs.

We’ve found a high failure rate among Security-as-Code initiatives that do not have a central way to manage security controls that’s similar to how application source code is managed. Concourse eliminates this common pitfall with the most advanced ‘gitops-style’ environment for managing and auditing a growing number of codified cloud policies, controls, and associated permissions.

Security-as-Code Makes Shift-Left Possible

Security-as-Code is the only way organizations can gain comprehensive visibility and control of cloud security and compliance risk, across the full application lifecycle, at cloud speed and scale. It is the practice of expressing security and cloud control objectives in code and is predicated on the notion that security should be considered an integral part of the SDLC and treated like other forms of code. This way, cloud controls can be created, enforced, and managed at the same speed and scale as the cloud infrastructure automation organizations have already achieved.

McKinsey summed it up nicely in their seminal report Security as Code: The best (and maybe only) path to securing cloud applications and systems: “Too often, security is viewed as an obstacle to cloud adoption. What should be a frictionless deployment process with security embedded at the outset becomes weeks or months of back-and-forth between developers, infrastructure, and security as they try to shoehorn cloud deployments into legacy security mechanisms. Lengthy approvals ranging from third-party assessments to firewall changes not only decrease the overall value proposition of the cloud but also increase the need for risky policy exceptions to accommodate business requirements2.” 

Concourse eliminates this friction, systemically increases cloud security, and delivers unambiguous security results. With Concourse, organizations can, for the first time, fully automate cloud security reviews and ensure cloud data stores are properly encrypted and key material is secure. They can know which cloud services are exposed to the public internet, eliminate shadow cloud resources by verifying trusted ones, remove excess permissions and weak IAM controls, and much more. All without slowing cloud innovation.

 

Click here for complimentary access to the research and to learn more about how Concourse increases the velocity of cloud security reviews by up to 30X and empowers teams to implement cloud security best practices in minutes!

1 Oracle and KMPG, Cloud Threat Report

2 McKinsey, Security as Code: The best (and maybe only) path to securing cloud applications and systems