Cloud-native security services.

We combine process automation with decades of experience of building secure, enterprise grade applications to provide your team with relevant and actionable security guidance.

Cloud security

Every cloud infrastructure provider maintains a version of the shared responsibility model. They are responsible for the security of the cloud, but your are responsible for the security of what you put in the cloud.

  • Identity

    Is your cloud infrastructure effectively leveraging least priviledge for IAM roles? Are user, group, roles, and service accounts properly configured with only the access they need?

  • Networking

    Are your APIs and control planes exposed on public IP addresses? A single DoS vulnerability or remote exploit could bring down the management layer or allow attackers in.

  • Data Access

    Are your storage endpoints exposing sensitive data publicly? Do you monitor all storage endpoints for changes to public access settings? Do you have a real-time inventory of all storage endpoints?

Issue Severity Effort
Identity and Access Management
Custom IAM Policy allows escalation to Admin
high low
Storage
AWS S3 Bucket is public
high low
Global
AWS Config Service is not configured
high low
Identity and Access Management
IAM ServiceAccountUser granted at the project
medium medium
Serverless
Outdated Lambda runtimes in use
medium high
Network Access
Security Group allows any access to tcp/6379
medium low
Identity and Access Management
External domains permitted in security groups
medium low

Cluster security

The out-of-the-box connectivity model of Kubernetes leads to a positive first-touch experience for developers. But no default Kubernetes installation has adequate security controls in place.

  • Security Add-ons

    Security features like Pod Security Policies and Admission Controllers are add-ons and are often skipped or misconfigured. Without these properly configured features, administrators can easily expose the underlying hosts.

  • Access Control

    RBAC and namespaces are easy to misconfigure in ways that allow excessive admin privileges. Are your RBAC policies enforcing least privilege? Are your namespaces adequately segmented?

Issue Severity Effort
Security Addons
Network Policy support is not enabled
high low
Metadata API Access
Unprotected cloud Metadata APIs
high low
IAM Roles
IAM permissions grant cluster admin
high low
API Access
Control plane allows public access
high medium
Kubernetes Version
EKS version is not latest
medium medium

Workload security

Containerization allows development teams to move fast, deploy software efficiently, and operate at scale. Are you taking steps to ensure your workloads are running securely?

  • Image integrity

    Are you enforcing trusted sources for your container images? Are you enforcing specific image versions or hashes?

  • Secrets management

    Are you embedding application secrets in environment variables - baking them into images? Or are you centrally managing and rotating secrets and credentials?

  • Container networking

    The "connected by default" state of Kubernetes makes it easy to get up and running. Are you adequately controlling ingress and egress networking from pods?

Issue Severity Effort
Cluster Security
Unprotected Tiller and cluster admin binding
high low
Secrets Management
Secrets statically configured in pod ENV vars
high low
Container Security
Inconsistent use of CPU/RAM requests/limits
high medium
Network Security
Network Policies are not implemented
high medium
Workload Availability
Pod Disruption Budgets not configured
medium low
Cluster Management
Orphaned persistent volumes found
low low

We're experts at securing the platforms you use.

Amazon Web Services

Amazon Web Services

Google Cloud Platform

Google Cloud Platform

Kubernetes

Kubernetes

Docker

Docker