Cloud-native security services.
We combine process automation with decades of experience of building secure, enterprise grade applications to provide your team with relevant and actionable security guidance.
Cloud security
Every cloud infrastructure provider maintains a version of the shared responsibility model. They are responsible for the security of the cloud, but your are responsible for the security of what you put in the cloud.
-
Identity
Is your cloud infrastructure effectively leveraging least priviledge for IAM roles? Are user, group, roles, and service accounts properly configured with only the access they need?
-
Networking
Are your APIs and control planes exposed on public IP addresses? A single DoS vulnerability or remote exploit could bring down the management layer or allow attackers in.
-
Data Access
Are your storage endpoints exposing sensitive data publicly? Do you monitor all storage endpoints for changes to public access settings? Do you have a real-time inventory of all storage endpoints?
| Issue | Severity | Effort |
|---|---|---|
|
Identity and Access Management
Custom IAM Policy allows escalation to Admin
|
high | low |
|
Storage
AWS S3 Bucket is public
|
high | low |
|
Global
AWS Config Service is not configured
|
high | low |
|
Identity and Access Management
IAM ServiceAccountUser granted at the project
|
medium | medium |
|
Serverless
Outdated Lambda runtimes in use
|
medium | high |
|
Network Access
Security Group allows any access to tcp/6379
|
medium | low |
|
Identity and Access Management
External domains permitted in security groups
|
medium | low |
Cluster security
The out-of-the-box connectivity model of Kubernetes leads to a positive first-touch experience for developers. But no default Kubernetes installation has adequate security controls in place.
-
Security Add-ons
Security features like Pod Security Policies and Admission Controllers are add-ons and are often skipped or misconfigured. Without these properly configured features, administrators can easily expose the underlying hosts.
-
Access Control
RBAC and namespaces are easy to misconfigure in ways that allow excessive admin privileges. Are your RBAC policies enforcing least privilege? Are your namespaces adequately segmented?
| Issue | Severity | Effort |
|---|---|---|
|
Security Addons
Network Policy support is not enabled
|
high | low |
|
Metadata API Access
Unprotected cloud Metadata APIs
|
high | low |
|
IAM Roles
IAM permissions grant cluster admin
|
high | low |
|
API Access
Control plane allows public access
|
high | medium |
|
Kubernetes Version
EKS version is not latest
|
medium | medium |
Workload security
Containerization allows development teams to move fast, deploy software efficiently, and operate at scale. Are you taking steps to ensure your workloads are running securely?
-
Image integrity
Are you enforcing trusted sources for your container images? Are you enforcing specific image versions or hashes?
-
Secrets management
Are you embedding application secrets in environment variables - baking them into images? Or are you centrally managing and rotating secrets and credentials?
-
Container networking
The "connected by default" state of Kubernetes makes it easy to get up and running. Are you adequately controlling ingress and egress networking from pods?
| Issue | Severity | Effort |
|---|---|---|
|
Cluster Security
Unprotected Tiller and cluster admin binding
|
high | low |
|
Secrets Management
Secrets statically configured in pod ENV vars
|
high | low |
|
Container Security
Inconsistent use of CPU/RAM requests/limits
|
high | medium |
|
Network Security
Network Policies are not implemented
|
high | medium |
|
Workload Availability
Pod Disruption Budgets not configured
|
medium | low |
|
Cluster Management
Orphaned persistent volumes found
|
low | low |
