Top 5 Tactics for Improving Cloud Security Hygiene for Businesses

Kutubkhan Bohari | November 22, 2022 | 1205 views | Read Time : 05:00 min

Top 5 Tactics for Improving Cloud Security Hygiene for Businesses
In the past couple of years, the world has gone through a rapid digital transformation, which has led to a deeper penetration of modern technologies such as cloud computing, artificial intelligence, data analytics, and others.

As a result, smart businesses are shifting their digital resources to the cloud to benefit from features such as streamlined operations, centralized data storage, increased operational flexibility, and hassle-free data transition. As per a study conducted in 2022, nearly 94% of businesses around the world are using at least one cloud service.

Every enterprise possesses large volumes of sensitive data, including financial statements, business designs, employees’ identity information, and others. As organizations worldwide migrate from on-premises working to a remote working model, more data is being stored in the cloud than ever before, making cloud security one of the most crucial aspects for businesses today.

5 Proven Tips to Strengthen Cloud Security Hygiene for Businesses

With the advent of cloudification and the increasing use of cloud-based applications, the prevalence of cybercrime has increased significantly. For instance, in the wake of the COVID-19 outbreak, there has been a significant spike in cybercrime, with reports of a 600% increase in malicious emails. Furthermore, a report from the United Nations says that cybercrime will cost the world economy $10.5 trillion every year by 2025.

Even though cloud networks, such as Google Cloud, Microsoft Azure, and Amazon Web Services, have their own data protection measures for securing the cloud services they provide, it does not mean that businesses utilizing these services should rely solely on their security measures and not consider adopting additional measures.

So what are the tactics modern businesses should adopt to improve cloud security hygiene? Let’s see:


Deploy Multi-Factor Authentication (MFA)

When it comes to keeping hackers out of user accounts and protecting sensitive data and applications used to run a business online, the traditional username and password combination is often not enough.

Leverage MFA to prevent hackers from accessing your cloud data and ensure only authorized personnel can log in to your cloud applications and critical data in your on- or off-premise environment. MFA is one of the most affordable yet highly effective controls to strengthen your business's cloud security.


Manage Your User Access

It is crucial for your business to ensure adequate permissions are in place to protect sensitive data stored on cloud platforms. Not all employees need access to certain applications and documents.

To improve your cloud security and prevent unauthorized access, you need to establish access rights. This not only helps prevent unauthorized employees from accidentally editing sensitive company data but also protects your company from hackers who have stolen an employee's credentials.


Monitor End User Activities

Real-time analysis and monitoring of end-user activity can help you detect anomalies that depart from usual usage patterns, such as logging in from a previously unknown IP address or device.

Identifying these out-of-the-ordinary events can stop hackers and allow you to rectify security before they cause mayhem.


Create a Comprehensive Off-boarding Process

After an employee leaves your firm, they should no longer have access to any company resources, including cloud storage, systems, data, customers, or intellectual property. Unfortunately, completing this vital security duty is sometimes put off until several days or weeks after an employee has left.

Since every employee is likely to have access to a variety of cloud platforms and applications, a systemized deprovisioning procedure can assist you in ensuring that all access permissions for each departing employee are revoked and prevent information leaks.


Provide Regular Anti-Phishing Training to Employees

Hackers can acquire access to protected information by stealing employees' login credentials using social engineering techniques such as phishing, internet spoofing, and social media spying. As a result, cybersecurity has now become a collective responsibility, making comprehensive anti-phishing training necessary to educate your employees about these threats.

As unscrupulous hackers frequently come up with new phishing scams by the day, regular anti-phishing training is essential for developing formidable cloud security.


Bottom Line

Cloud security hygiene no longer consists solely of strong passwords and security checks. Instead, it is a series of innovative procedures that organizations use nowadays to leverage cloud networks. With more businesses moving towards the cloud and cyberattacks on the rise, it is the responsibility of your organization to remain vigilant and protect itself from cyberattacks.

Spotlight

NC-Expert

NC-Expert is a consortium of experts in business and technical specialties focused around Enterprise Infrastructure. Specifically: -Mobility (Wireless, WLan, Wi-Fi, Location Capabilities, Outdoor, High Density, LTE) -Security (Cyber Security, Next Generation Firewalls, ISE, Malware, Threat Detection & Mitigation, Ethical Hacking) -Collaboration (VoIP, Cisco Unified Communications, Telepresence, Contact Center).

OTHER ARTICLES
DATA SECURITY, PLATFORM SECURITY, SOFTWARE SECURITY

The Great CISO Resignation

Article | March 29, 2023

CISOs Are Leaving in Droves The Great Resignation has been front-page news since Covid lockdowns, with many employees looking for the work-life balance they enjoyed at the time. Now, the phenomenon has spread to the role of Chief Information Security Officer (CISO) and shows no signs of letting up. In fact, industry experts predict that it is likely to worsen. A recent study from cybersecurity company BlackFog found that 32% of CISOs in the U.K. and U.S. have considered leaving and many planned to do so in just six months. The majority noted that the top reason for leaving was a lack of work-life balance. The CISO role is demanding, with firefighting and frequent changes in regulations and customer expectations taking up significant time both on and off the job. In another recent study in which 581 CISOs were surveyed, the IANS Research and Artico Search explored CISO compensation and job satisfaction. Three-fourths of CISOs are satisfied with their job, which is 7% higher than in the 2021 sample and more than double that of the 2020 sample. The main drivers of satisfaction are compensation, budget, executive visibility, and organizational support. However, despite high satisfaction numbers, the study found that as many as 44% of respondents are considering a job change. CISO Challenges LIABILITY AND EXPOSURE OF THE CISO There is a perception that CISOs face heightened liability for cyber intrusions and the response to cyber events. One extraordinary example is the recent conviction of Uber’s former security officer, which represents the first time a security executive has faced federal crime prosecution over a data security response. In this case the finding was that he obstructed justice by concealing information about a breach, destroying data, and covering up the incident. CISOs are often in the hot seat when it comes to cyber-intrusions and how they are handled. The Board of Directors (possibly including named corporate officers) in most cases are protected by being diligent about the Business Judgement Rule (BJR). Heavily adopted in Delaware case law and since adopted in various forms in many states, this “rule” stipulates that proper oversight includes demonstrating the duty of loyalty (no conflicting interests) and duty of care (make informed decisions) to be protected from liability. There are few cases (although Enron being one) where liability was found but it was for illegalities and poor business judgment. Since CISOs are not named corporate officers in most cases, BJR does not provide comfort. Similarly, liability insurance which covers legal defense fees and cash judgments often covers only directors and named corporate officers unless the CISO has been specifically included in the policy. DUTY TO REPORT Improving Board-CISO Transparency There is a mechanism found in corporate governance best-practices for ensuring that the most senior people in an organization get direct, unfiltered input from a key executive, regardless of reporting structure. It is called the executive session. This is in common use by Boards of Directors who meet individually with the Chief Financial Officer, Controller, and other key executives, notably without other management in the room. Questions are intended to be penetrating and the respondent is expected to respond openly. Now that cybersecurity has risen to a top risk for the enterprise, the CISO position should be among those who appear individually in an executive session with the highest governing body of an enterprise at least annually. This addition to governance best-practices would give Board members and State governors unfiltered information on cybersecurity matters, thereby helping to fulfil their oversight responsibility. Bob Zukis, founder and CEO of the Digital Directors Network, reports that a survey of its membership of more than 900 IT, cyber, and boardroom leaders shows nearly half of the respondents already have some form of this policy in practice. However, this is still a minority of the overall CISO population, signaling more transparency between the CISO and Board is needed. CISOs in State Governments Government organizations also face many of these issues. Evidence shows that CISOs in state governments are as vulnerable to other job offers as CISOs in the private sector. In the span of eight days in October 2022, there were several reports of state CISOs resigning, including Oklahoma, Georgia, Pennsylvania, and North Dakota. [1] Legal liability is not an issue the government CISO needs to be worried about since governments and their employees are immune from legal suits. However, government CISOs are highly concerned about shouldering blame, especially in the press, for security intrusions or their coverup. As with private industry, state governments should also institute this recommended practice. NCC recommends CISOs be called upon to appear in an executive session with agency heads and even the governor at least once a year. The State of Texas, for example, already has a version of this policy implemented in a statute and in practice. Texas Administrative Code includes provisions for: Reporting, at least annually, directly to the agency head the status and effectiveness of the security program and its controls. Informing any relevant parties in the event of noncompliance with the state agency’s information security policies Resolving the Great CISO Resignation For organizations across the public and private sectors, cybersecurity has risen to one of the top risks and has increased the importance of the role of the CISO. Most are looking to improve their work-life balance and reduce some of the stressors of the job. While many CISOs are also concerned about trends in liability and becoming headline news for decisions made on the job, requiring CISOs to appear in executive sessions with board members or state governors can help to alleviate these concerns and improve CISO job satisfaction while at the same time improving how the most senior levels of organizations fulfil their responsibilities for oversight of top risks.

Read More
PLATFORM SECURITY

Top 5 Application Security Trends Businesses Must Be Aware of in 2023

Article | July 12, 2022

Introduction Top 5 Trends for Businesses to Improve Their Existing Application Security 1.AppSec and Convergence 2.Adoption of Automated AI Security Capabilities 3.Emphasis on Securing the Software Supply Chain 4.Extreme 'Shift Left' 5.Upsurge in Demand for Vulnerability Prioritization Moving Forward with Application Security Introduction The proliferation of applications and their usage across the business landscape has made application security a strategic initiative that spans departments rather than an activity. Several factors are driving the rethinking of application security as a broader strategic program, including the evolving threat landscape, more incremental software development frameworks, and the adoption of nimbler. With the acceleration of software development and the greater-than-ever role of code in current business infrastructure, application security is shifting left in the process and infusing every step to ensure that the applications reaching customers' hands are secure and reliable. Top 5 Trends for Businesses to Improve Their Existing Application Security Applications serve as a doorway to servers and networks, making them an excellent target for malicious actors. Since cyber attackers constantly improve their techniques for breaking into software, it is becoming essential for businesses to gain insights into ever-evolving trends in the AppSec space. Here are some of the prominent trends that businesses should aware of to improve their existing application security. Trend 1: AppSec and CloudSec Convergence To accurately estimate attack surface and overall security posture, both application code vulnerabilities and cloud service hosting misconfigurations must be examined. The convergence of AppSec and CloudSec is becoming a critical component of modern security operations. It allows organizations to gain a comprehensive view of the attack surface and better understand the risks posed by application code and cloud service providers. By looking at these two areas cohesively, organizations can identify business-critical vulnerabilities and prioritize their remediation efforts. Trend 2: Adoption of Automated AI Security Capabilities The increasing volume and complexity of security threats pose significant challenges for organizations, causing strain on their threat detection and response capabilities. This leads to slower response times, higher costs, and a greater impact on security incidents. To address this issue, many companies are turning to security automation as a potential solution. One of such approaches involves the use of artificial intelligence (AI), which can automate data gathering, threat identification, and incident response processes. By adopting security automation, companies can optimize the use of limited security personnel and resources, enabling them to focus on high-value activities that provide maximum benefit to the organization. Trend 3: Emphasis on Securing the Software Supply Chain The software supply chain is emerging as a primary area of focus due to the heightened risks associated with software development. This urgency has been further compounded by the recent attack, such as Solarwind data breach and the Log4j attack on Apache, increasing the significance of software security measures. Companies are taking a more proactive approach for making enhancements in the software supply chain to protect their applications, including conducting Static Application Security Testing (SAST) to identify and address vulnerabilities before malicious actors can exploit them. Trend 4: Extreme 'Shift Left' The ‘shift left’ in software development has gained significant momentum in recent years. The idea behind this approach is to prioritize security and other critical aspects of software development at the earliest possible stage in the development process. By doing so, organizations can make more informed security decisions and identify and address security vulnerabilities before they cause any damage. As the pace of development continues to increase, organizations are increasingly adopting this approach in their software development processes to protect their systems and data from security risks. Trend 5: Upsurge in Demand for Vulnerability Prioritization Managing vulnerabilities in a software system requires analyzing vast amounts of data to determine issues that require immediate attention and prioritization. However, the growing presence of false positives is negatively impacting this process, resulting in decreased efficiency and wasted resources. Organizations are increasingly looking for vendors to provide vulnerability management tools that can reduce false positives, differentiate between low-priority issues and severe security threats, and offer actionable insights to mitigate them. Moving Forward with Application Security Applications security has become more critical than ever before for businesses in the current digital scape. With the attack surface constantly expanding and the frequency of threats on the rise, organizations must remain agile and employ the best effective strategies to protect their applications from potential cyberattacks. The significance of application security has not gone unnoticed. As organizations continue to invest in security measures, they are increasingly upgrading themselves as per emerging security trends to protect themselves against evolving cyber threats. This includes adopting the ‘shift left’ approach, tightening controls, and having a clear definition of remediation processes.

Read More
DATA SECURITY, PLATFORM SECURITY, SOFTWARE SECURITY

Security by Sector: Improving Quality of Data and Decision-Making a Priority for Credit Industry

Article | August 12, 2022

The subject of how information security impacts different industry sectors is an intriguing one. For example, how does the finance industry fare in terms of information security compared to the health sector, or the entertainment business? Are there some sectors that face greater cyber-threats and risks than others? Do some do a better job of keeping data secure, and if so, how and why?A new study of credit management professionals has revealed that improving the quality of data and decision-making will be a top priority for the credit industry in the next three years. The research, from Equifax Ingnite in collaboration with Coleman Parkes, takes a deep dive into the views of credit management pros across retail, banking, finance and debt management/recovery sectors.

Read More

3 Trends in Data Privacy Breach Laws That Will Carry Over to 2020

Article | February 12, 2020

During 2019, new privacy laws were introduced, and many current laws evolved in the United States and across the global landscape. With the General Data Protection Regulation (GDPR) in full effect, we saw expensive fines levied upon companies that fell victim to data privacy breaches. As we move into a new year, probably the biggest takeaway from 2019 is that being proactive and having a data privacy strategy in place is important to help mitigate the risk of a data privacy breach. The regulatory landscape continues to evolve as states and countries actively pass new expanded requirements for privacy and cybersecurity regulations. While laws in the U.S., like the California Consumer Privacy Act (CCPA), are getting significant attention, many other states and countries are actively amending their breach notification laws to include tighter restrictions.

Read More

Spotlight

NC-Expert

NC-Expert is a consortium of experts in business and technical specialties focused around Enterprise Infrastructure. Specifically: -Mobility (Wireless, WLan, Wi-Fi, Location Capabilities, Outdoor, High Density, LTE) -Security (Cyber Security, Next Generation Firewalls, ISE, Malware, Threat Detection & Mitigation, Ethical Hacking) -Collaboration (VoIP, Cisco Unified Communications, Telepresence, Contact Center).

Related News

PLATFORM SECURITY, SOFTWARE SECURITY, API SECURITY

Traceable AI Announces the Industry’s First API Security Reference Architecture for a Zero Trust World

Businesswire | June 06, 2023

Traceable AI, the industry's leading API security company, today announced the release of the industry's first API Security Reference Architecture for Zero Trust. This groundbreaking reference architecture serves as a guide for security leaders as the industry addresses the urgency of integrating API Security into Zero Trust Security initiatives. Zero Trust, a cybersecurity framework that emphasizes continuous verification and helps to minimize the attack surface, has proven effective in enhancing security for many organizations, from large enterprises, to the US Government. However, traditional Zero Trust approaches have primarily focused on network-level controls and identity access management, neglecting the critical API layer. Traceable’s API Security Reference Architecture is aligned with the NIST Zero Trust Architecture, a publicly available, vendor-neutral framework widely adopted by government entities such as CISA, DoD, DISA, NSA, GSA and NCCoE, as well as by many leading cybersecurity vendors. By leveraging the NIST framework, Traceable ensures compatibility, interoperability, and adherence to industry standards, making it a reliable and trusted guide for organizations implementing Zero Trust for their APIs. The extensive reference architecture provides organizations with a prescriptive methodology to operationalize Zero Trust for APIs: Advanced API Security: The reference architecture gives organizations a way to implement robust security measures specifically designed for APIs, including eliminating implied or persistent trust for APIs, thereby minimizing the risk of API-related vulnerabilities, attacks, and data breaches. Comprehensive Risk Management: The reference architecture recommends incorporating automatic user authentication and authorization, granular data access policies, and asset risk assessments, can organizations can effectively manage and mitigate risks associated with API access and usage. Increased Visibility and Control: The architecture explains why organizations should obtain granular visibility, which allows organizations to monitor and record all API transactions, enabling better analysis, threat detection, and incident response capabilities. Improved Compliance and Data Protection: The automatic identification and classification of sensitive data sets ensure compliance with data protection regulations such as HIPAA, GDPR, and PCI-DSS, reducing the risk of regulatory penalties and reputational damage. Seamless Automation and Orchestration: The reference architecture recommends integration with XDR, SIEM, and SOAR solutions, so organizations can enhance their overall security posture, automate response actions, and streamline security operations. Scalability and Flexibility: The architecture offers a flexible distribution model for PEPs and data collection points, allowing organizations to scale their API security infrastructure based on their unique requirements and architecture. Future-Proofing: By aligning with the NIST Zero Trust Architecture and industry standards, organizations adopting the API Security Reference Architecture can ensure compatibility, interoperability, and the ability to evolve alongside emerging technologies and security best practices. Traceable’s API Security Reference Architecture for Zero Trust introduces a new approach to secure APIs using Zero Trust concepts, acknowledging their unique security requirements. It provides organizations with a comprehensive framework to implement Zero Trust controls specifically tailored to APIs, ensuring the protection of digital assets and mitigating the risk of data breaches. Dr. Chase Cunningham weighs in on Traceable’s approach: "APIs provide a new means of applying controls across enterprise applications, " says Dr. Cunningham, “However, the security practices for APIs have not yet matured, leaving a significant gap in the overall attack surface. Traceable has developed their own API Security Reference Architecture to help fill this gap by providing organizations with a methodical way to secure their APIs with Zero Trust principles. By combining Zero Trust strategic concepts with API-specific security measures, Traceable can help organizations protect their digital assets effectively." Throughout the past year, Traceable has continued to reaffirm its commitment to extending Zero Trust methodologies to API Security. With the addition of Zero Trust creator John Kindervag and Dr. Zero Trust, Chase Cunningham as Traceable advisors, Traceable continues to strengthen its expertise in this space. To date, Traceable has become a valuable partner to a number of large enterprises as the industry turns its eyes toward the importance of API security. With the rollout of their Zero Trust API Access solution alongside this reference architecture, Traceable continues to lead the industry toward the advancement of API security. This reference architecture is now available for organizations to explore and implement, empowering them to achieve complete API security in a Zero Trust world. About Traceable Traceable is the industry’s leading API Security company that helps organizations achieve API protection in a cloud-first, API-driven world. With an API Data Lake at the core of the platform, Traceable is the only intelligent and context-aware solution that powers complete API security – security posture management, threat protection and threat management across the entire Software Development Lifecycle – enabling organizations to minimize risk and maximize the value that APIs bring to their customers. To learn more about how API security can help your business, book a demo with a security expert.

Read More

PLATFORM SECURITY, SOFTWARE SECURITY, CLOUD SECURITY

Lacework Unifies Entitlements Management and Threat Detection for Simplified Cloud Security

Prnewswire | June 07, 2023

Lacework, the data-driven security platform, today announced new CIEM functionality that empowers teams to gain observability of all cloud identities, know precisely who can perform what actions, and easily identify which identities pose the greatest risk. Furthermore, Lacework's actionable approach to CIEM provides customers with recommendations on how to reduce their identity risk. By combining these new capabilities with cloud security posture management, attack path analysis, and threat detection into a single platform, Lacework gives customers a clear understanding of their cloud identity landscape, visibility into cloud identity and access management (IAM) misconfigurations and exposed secrets, and continuous discovery of identity threats. The benefits of public cloud come with complex challenges in managing identity risk. With over 35,000 granular permissions across hyperscale cloud providers, organizations struggle to limit unnecessary access. Most cloud users and instances are granted far more permissions than they actually need, leaving organizations highly exposed to cloud breach, account takeover, and data exfiltration. And the fact that machine identities in the cloud typically outnumber humans by an order of magnitude intensifies the issue. "Enforcing least privilege and having visibility of identities and entitlements is a top cloud security challenge for IDC clients. With this innovation from Lacework, security teams can automatically see which identities are overly-permissive, and zero in on the ones that pose the greatest risk," said Philip Bues, Research Manager for Cloud Security, at IDC. "Beyond prioritizing risks, this will also allow teams to confidently suggest policy changes and reduce their overall attack surface risk." Preventing Cloud Identity Risk with New Entitlement Management Technology Lacework dynamically discovers cloud user, resource, group and role identities and their net-effective permissions and then automatically correlates granted versus used permissions to determine identities with excessive privileges. The platform calculates a risk score for each identity, determines the riskiest identities based on attack path analysis, and auto-generates high-confidence recommendations for right-sizing permissions based on historical observations. This means Lacework not only informs customers of risky identities and entitlements, but also shows those identities that are hardly used or even need entitlements to begin with. "CIEM is a vital facet of a comprehensive cloud security strategy," said Paolo del Mundo, Director of Application Security, The Motley Fool. "It's encouraging to see Lacework incorporating this into their well-rounded CNAPP solution, potentially providing a robust response to the challenge of managing cloud access permissions effectively." Combined with Lacework's ability to prioritize risks from an attack path context, as well as detect user and entity behavior anomalies, customers are able to: Continuously comply with IAM security and regulatory compliance requirements. Identify cloud user, application and service identities, know exactly what actions each can take, and prioritize the identities that pose the greatest risk. Limit the blast radius of compromised cloud accounts, achieve least privilege, and establish trust with engineering teams. Continuously discover risky behavior, including lateral movement and privilege escalation, without needing to write rules or stitching together disparate alerts. Rapidly detect insider threats associated with malicious or accidental abuse of permissions. "Our customers need to know what entities are actually doing in their cloud and whether it's malicious or inappropriate, and it can't get in the way of their ability to move fast," said Adam Leftik, Vice President, Product, Lacework. "Now Lacework customers can address both sides of the identity security issue with a single platform that prevents identity risk exposure and detects identity threats at scale, with the context to quickly investigate, prioritize, and respond to identity alerts. It's the latest step in our mission to give enterprises the confidence to rapidly innovate in the cloud and drive their business forward." About Lacework Lacework offers the data-driven security platform for the cloud and is the leading cloud-native application protection platform (CNAPP) solution. Only Lacework can collect, analyze, and accurately correlate data — without requiring manually written rules — across an organization's AWS, Azure, Google Cloud, and Kubernetes environments, and narrow it down to the handful of security events that matter. Security and DevOps teams around the world trust Lacework to secure cloud-native applications across the full lifecycle from code to cloud. Get started at www.lacework.com.

Read More

DATA SECURITY, ENTERPRISE SECURITY, SOFTWARE SECURITY

Vanta Expands Partnership with CrowdStrike, Announces New Integration to Secure Access for Automated Compliance

Businesswire | May 12, 2023

Vanta, a leading trust management platform, announced today that it has expanded its partnership with CrowdStrike, a leader in cloud-delivered protection of endpoints, cloud workloads, identity and data, with a new integration that improves compliance and security operations for organizations of all sizes. Vanta also announced three new strategic investors in their previously announced Series B — Atlassian Ventures, HubSpot Ventures and Workday Ventures. The new integration builds on an existing partnership between Vanta and CrowdStrike. In September 2022, the companies announced that CrowdStrike had made an investment in Vanta via the CrowdStrike Falcon Fund. That investment, along with the newly announced investments today by Atlassian Ventures, HubSpot Ventures and Workday Ventures, not only enable Vanta to continue growing its go-to-market, R&D and global expansion efforts, but provide valuable partnership opportunities via aligned customer and partner bases and industry-leading product innovation. “As the market’s leading trust management platform, we’re excited to build on our industry-first partnership with CrowdStrike, bringing together our pioneering technologies to automate compliance securely across organizations—from small and midsize businesses to enterprise environments,” said Christina Cacioppo, CEO, Vanta. “As we transform the way companies demonstrate their security, and ultimately, establish and deepen trust, we’re thrilled to welcome new investments by Atlassian Ventures, HubSpot Ventures and Workday Ventures as we work to simplify and centralize security for our 5,000 global customers and beyond." With cybersecurity threats continuing to increase in volume and complexity, it’s more critical than ever for organizations to prioritize their security posture and build trust with internal and external stakeholders alike. By leveraging the CrowdStrike Falcon® platform, Vanta customers gain visibility into employee agent deployment, allowing them to seamlessly configure and manage cloud monitoring to ensure internal policies are being upheld. The integration with CrowdStrike increases automation for compliance security operations at scale within Vanta, empowering customers to: Improve security posture by actively monitoring the status of corporate employee access to the Falcon platform, as well as mitigate potential misuse and insider threats by removing access for offboarded users. Eliminate security blindspots with additional visibility into CrowdStrike agent installation coverage across relevant endpoints, and workloads for comprehensive protection and control. Meet compliance standards by certifying CrowdStrike prevention policies by actively performing the relevant checks on the required devices and cloud workloads within the Vanta platform. "Cybersecurity and compliance are both on similar trajectories of increasing complexity," said Daniel Bernard, Chief Business Officer, CrowdStrike. "Together with Vanta, CrowdStrike is automating continuous security and compliance so organizations of all sizes can elevate protection levels in an efficient manner." Over the past year, Vanta has nearly doubled its customer base to serve over 5,000 companies across 58 countries, while expanding its global footprint with offices in Australia, Ireland and the U.S. In January, Vanta announced its acquisition of Trustpage to accelerate its enterprise momentum and transform trust into a marketable advantage for companies around the world. “Developing trust and providing companies with solutions to support them as they grow is essential to our mission to help organizations grow better. Vanta enables companies to strengthen trust with customers by improving security and compliance management, making them a natural partner to HubSpot,” said Eric Richard, CISO and SVP of Engineering Operations, HubSpot. “I’m looking forward to the work Vanta and HubSpot will do together to create more secure digital experiences for companies and their customers.” To meet demand from its rapidly expanding customer base, in Q1 alone, Vanta added over 50 new integrations, for a total of 125+ across the most essential cloud applications in a company's tech stack. With Vanta’s recently launched Vendor Risk Management (VRM) solution and Questionnaire Automation, customers can evaluate security in the buying process while closing their own deals faster — all in a single platform. “Teams work in a more connected and collaborative nature than ever before. But with more apps and entry points in every organization’s tech stack, the companies of tomorrow need to ensure they’re secure today,” said Peter Lenke, Head of Atlassian Ventures. “We’re excited to invest in and partner with Vanta as they enable security teams to significantly reduce vendor risk by quickly inventorying vendors, performing security reviews, and remediating issues — all in the same platform they use for security and compliance today. Vanta closes the loop on the security lifecycle from start to finish. With our shared commitment to reimagine and deliver a more secure cloud, we couldn’t be more thrilled to join Vanta in its next phase of growth.” In addition to its product and partnership acceleration in 2023, Vanta’s innovation has been recognized across a range of rankings and awards including securing the #17 spot in CNBC’s Disruptor 50, Inc’s Best Workplaces and the Fastest Growing Cybersecurity Company by the Cybersecurity Excellence Awards. “The investment in Vanta reflects our commitment to intelligent automation and sophisticated technology that helps organizations navigate an ever-changing world,” said Michael Magaro, Senior Vice President of Corporate Growth, Workday Ventures. “As the strategic capital arm of Workday, trust and transparency are values that are ingrained in everything we do at Workday Ventures. Vanta is well-positioned to evolve the rapidly changing trust and security industry, and we look forward to partnering with them as they continue their journey to safeguard organizations and consumers everywhere.” In 2022, Vanta raised $150 million in funding from leading investors Craft Ventures, Sequoia and Y Combinator and security industry pioneers like CrowdStrike, bringing the company’s total amount raised to $203 million at a $1.65 billion valuation. About Vanta Vanta is the leading trust management platform that helps simplify and centralize security for organizations of all sizes. Over 5,000 companies including Autodesk, Chili Piper, Flo Health, and Quora rely on Vanta to build, maintain and demonstrate their trust—all in a way that's real-time and transparent. Founded in 2018, Vanta has customers in 58 countries with offices in Dublin, New York, San Francisco and Sydney. For more information, visit www.vanta.com.

Read More

PLATFORM SECURITY, SOFTWARE SECURITY, API SECURITY

Traceable AI Announces the Industry’s First API Security Reference Architecture for a Zero Trust World

Businesswire | June 06, 2023

Traceable AI, the industry's leading API security company, today announced the release of the industry's first API Security Reference Architecture for Zero Trust. This groundbreaking reference architecture serves as a guide for security leaders as the industry addresses the urgency of integrating API Security into Zero Trust Security initiatives. Zero Trust, a cybersecurity framework that emphasizes continuous verification and helps to minimize the attack surface, has proven effective in enhancing security for many organizations, from large enterprises, to the US Government. However, traditional Zero Trust approaches have primarily focused on network-level controls and identity access management, neglecting the critical API layer. Traceable’s API Security Reference Architecture is aligned with the NIST Zero Trust Architecture, a publicly available, vendor-neutral framework widely adopted by government entities such as CISA, DoD, DISA, NSA, GSA and NCCoE, as well as by many leading cybersecurity vendors. By leveraging the NIST framework, Traceable ensures compatibility, interoperability, and adherence to industry standards, making it a reliable and trusted guide for organizations implementing Zero Trust for their APIs. The extensive reference architecture provides organizations with a prescriptive methodology to operationalize Zero Trust for APIs: Advanced API Security: The reference architecture gives organizations a way to implement robust security measures specifically designed for APIs, including eliminating implied or persistent trust for APIs, thereby minimizing the risk of API-related vulnerabilities, attacks, and data breaches. Comprehensive Risk Management: The reference architecture recommends incorporating automatic user authentication and authorization, granular data access policies, and asset risk assessments, can organizations can effectively manage and mitigate risks associated with API access and usage. Increased Visibility and Control: The architecture explains why organizations should obtain granular visibility, which allows organizations to monitor and record all API transactions, enabling better analysis, threat detection, and incident response capabilities. Improved Compliance and Data Protection: The automatic identification and classification of sensitive data sets ensure compliance with data protection regulations such as HIPAA, GDPR, and PCI-DSS, reducing the risk of regulatory penalties and reputational damage. Seamless Automation and Orchestration: The reference architecture recommends integration with XDR, SIEM, and SOAR solutions, so organizations can enhance their overall security posture, automate response actions, and streamline security operations. Scalability and Flexibility: The architecture offers a flexible distribution model for PEPs and data collection points, allowing organizations to scale their API security infrastructure based on their unique requirements and architecture. Future-Proofing: By aligning with the NIST Zero Trust Architecture and industry standards, organizations adopting the API Security Reference Architecture can ensure compatibility, interoperability, and the ability to evolve alongside emerging technologies and security best practices. Traceable’s API Security Reference Architecture for Zero Trust introduces a new approach to secure APIs using Zero Trust concepts, acknowledging their unique security requirements. It provides organizations with a comprehensive framework to implement Zero Trust controls specifically tailored to APIs, ensuring the protection of digital assets and mitigating the risk of data breaches. Dr. Chase Cunningham weighs in on Traceable’s approach: "APIs provide a new means of applying controls across enterprise applications, " says Dr. Cunningham, “However, the security practices for APIs have not yet matured, leaving a significant gap in the overall attack surface. Traceable has developed their own API Security Reference Architecture to help fill this gap by providing organizations with a methodical way to secure their APIs with Zero Trust principles. By combining Zero Trust strategic concepts with API-specific security measures, Traceable can help organizations protect their digital assets effectively." Throughout the past year, Traceable has continued to reaffirm its commitment to extending Zero Trust methodologies to API Security. With the addition of Zero Trust creator John Kindervag and Dr. Zero Trust, Chase Cunningham as Traceable advisors, Traceable continues to strengthen its expertise in this space. To date, Traceable has become a valuable partner to a number of large enterprises as the industry turns its eyes toward the importance of API security. With the rollout of their Zero Trust API Access solution alongside this reference architecture, Traceable continues to lead the industry toward the advancement of API security. This reference architecture is now available for organizations to explore and implement, empowering them to achieve complete API security in a Zero Trust world. About Traceable Traceable is the industry’s leading API Security company that helps organizations achieve API protection in a cloud-first, API-driven world. With an API Data Lake at the core of the platform, Traceable is the only intelligent and context-aware solution that powers complete API security – security posture management, threat protection and threat management across the entire Software Development Lifecycle – enabling organizations to minimize risk and maximize the value that APIs bring to their customers. To learn more about how API security can help your business, book a demo with a security expert.

Read More

PLATFORM SECURITY, SOFTWARE SECURITY, CLOUD SECURITY

Lacework Unifies Entitlements Management and Threat Detection for Simplified Cloud Security

Prnewswire | June 07, 2023

Lacework, the data-driven security platform, today announced new CIEM functionality that empowers teams to gain observability of all cloud identities, know precisely who can perform what actions, and easily identify which identities pose the greatest risk. Furthermore, Lacework's actionable approach to CIEM provides customers with recommendations on how to reduce their identity risk. By combining these new capabilities with cloud security posture management, attack path analysis, and threat detection into a single platform, Lacework gives customers a clear understanding of their cloud identity landscape, visibility into cloud identity and access management (IAM) misconfigurations and exposed secrets, and continuous discovery of identity threats. The benefits of public cloud come with complex challenges in managing identity risk. With over 35,000 granular permissions across hyperscale cloud providers, organizations struggle to limit unnecessary access. Most cloud users and instances are granted far more permissions than they actually need, leaving organizations highly exposed to cloud breach, account takeover, and data exfiltration. And the fact that machine identities in the cloud typically outnumber humans by an order of magnitude intensifies the issue. "Enforcing least privilege and having visibility of identities and entitlements is a top cloud security challenge for IDC clients. With this innovation from Lacework, security teams can automatically see which identities are overly-permissive, and zero in on the ones that pose the greatest risk," said Philip Bues, Research Manager for Cloud Security, at IDC. "Beyond prioritizing risks, this will also allow teams to confidently suggest policy changes and reduce their overall attack surface risk." Preventing Cloud Identity Risk with New Entitlement Management Technology Lacework dynamically discovers cloud user, resource, group and role identities and their net-effective permissions and then automatically correlates granted versus used permissions to determine identities with excessive privileges. The platform calculates a risk score for each identity, determines the riskiest identities based on attack path analysis, and auto-generates high-confidence recommendations for right-sizing permissions based on historical observations. This means Lacework not only informs customers of risky identities and entitlements, but also shows those identities that are hardly used or even need entitlements to begin with. "CIEM is a vital facet of a comprehensive cloud security strategy," said Paolo del Mundo, Director of Application Security, The Motley Fool. "It's encouraging to see Lacework incorporating this into their well-rounded CNAPP solution, potentially providing a robust response to the challenge of managing cloud access permissions effectively." Combined with Lacework's ability to prioritize risks from an attack path context, as well as detect user and entity behavior anomalies, customers are able to: Continuously comply with IAM security and regulatory compliance requirements. Identify cloud user, application and service identities, know exactly what actions each can take, and prioritize the identities that pose the greatest risk. Limit the blast radius of compromised cloud accounts, achieve least privilege, and establish trust with engineering teams. Continuously discover risky behavior, including lateral movement and privilege escalation, without needing to write rules or stitching together disparate alerts. Rapidly detect insider threats associated with malicious or accidental abuse of permissions. "Our customers need to know what entities are actually doing in their cloud and whether it's malicious or inappropriate, and it can't get in the way of their ability to move fast," said Adam Leftik, Vice President, Product, Lacework. "Now Lacework customers can address both sides of the identity security issue with a single platform that prevents identity risk exposure and detects identity threats at scale, with the context to quickly investigate, prioritize, and respond to identity alerts. It's the latest step in our mission to give enterprises the confidence to rapidly innovate in the cloud and drive their business forward." About Lacework Lacework offers the data-driven security platform for the cloud and is the leading cloud-native application protection platform (CNAPP) solution. Only Lacework can collect, analyze, and accurately correlate data — without requiring manually written rules — across an organization's AWS, Azure, Google Cloud, and Kubernetes environments, and narrow it down to the handful of security events that matter. Security and DevOps teams around the world trust Lacework to secure cloud-native applications across the full lifecycle from code to cloud. Get started at www.lacework.com.

Read More

DATA SECURITY, ENTERPRISE SECURITY, SOFTWARE SECURITY

Vanta Expands Partnership with CrowdStrike, Announces New Integration to Secure Access for Automated Compliance

Businesswire | May 12, 2023

Vanta, a leading trust management platform, announced today that it has expanded its partnership with CrowdStrike, a leader in cloud-delivered protection of endpoints, cloud workloads, identity and data, with a new integration that improves compliance and security operations for organizations of all sizes. Vanta also announced three new strategic investors in their previously announced Series B — Atlassian Ventures, HubSpot Ventures and Workday Ventures. The new integration builds on an existing partnership between Vanta and CrowdStrike. In September 2022, the companies announced that CrowdStrike had made an investment in Vanta via the CrowdStrike Falcon Fund. That investment, along with the newly announced investments today by Atlassian Ventures, HubSpot Ventures and Workday Ventures, not only enable Vanta to continue growing its go-to-market, R&D and global expansion efforts, but provide valuable partnership opportunities via aligned customer and partner bases and industry-leading product innovation. “As the market’s leading trust management platform, we’re excited to build on our industry-first partnership with CrowdStrike, bringing together our pioneering technologies to automate compliance securely across organizations—from small and midsize businesses to enterprise environments,” said Christina Cacioppo, CEO, Vanta. “As we transform the way companies demonstrate their security, and ultimately, establish and deepen trust, we’re thrilled to welcome new investments by Atlassian Ventures, HubSpot Ventures and Workday Ventures as we work to simplify and centralize security for our 5,000 global customers and beyond." With cybersecurity threats continuing to increase in volume and complexity, it’s more critical than ever for organizations to prioritize their security posture and build trust with internal and external stakeholders alike. By leveraging the CrowdStrike Falcon® platform, Vanta customers gain visibility into employee agent deployment, allowing them to seamlessly configure and manage cloud monitoring to ensure internal policies are being upheld. The integration with CrowdStrike increases automation for compliance security operations at scale within Vanta, empowering customers to: Improve security posture by actively monitoring the status of corporate employee access to the Falcon platform, as well as mitigate potential misuse and insider threats by removing access for offboarded users. Eliminate security blindspots with additional visibility into CrowdStrike agent installation coverage across relevant endpoints, and workloads for comprehensive protection and control. Meet compliance standards by certifying CrowdStrike prevention policies by actively performing the relevant checks on the required devices and cloud workloads within the Vanta platform. "Cybersecurity and compliance are both on similar trajectories of increasing complexity," said Daniel Bernard, Chief Business Officer, CrowdStrike. "Together with Vanta, CrowdStrike is automating continuous security and compliance so organizations of all sizes can elevate protection levels in an efficient manner." Over the past year, Vanta has nearly doubled its customer base to serve over 5,000 companies across 58 countries, while expanding its global footprint with offices in Australia, Ireland and the U.S. In January, Vanta announced its acquisition of Trustpage to accelerate its enterprise momentum and transform trust into a marketable advantage for companies around the world. “Developing trust and providing companies with solutions to support them as they grow is essential to our mission to help organizations grow better. Vanta enables companies to strengthen trust with customers by improving security and compliance management, making them a natural partner to HubSpot,” said Eric Richard, CISO and SVP of Engineering Operations, HubSpot. “I’m looking forward to the work Vanta and HubSpot will do together to create more secure digital experiences for companies and their customers.” To meet demand from its rapidly expanding customer base, in Q1 alone, Vanta added over 50 new integrations, for a total of 125+ across the most essential cloud applications in a company's tech stack. With Vanta’s recently launched Vendor Risk Management (VRM) solution and Questionnaire Automation, customers can evaluate security in the buying process while closing their own deals faster — all in a single platform. “Teams work in a more connected and collaborative nature than ever before. But with more apps and entry points in every organization’s tech stack, the companies of tomorrow need to ensure they’re secure today,” said Peter Lenke, Head of Atlassian Ventures. “We’re excited to invest in and partner with Vanta as they enable security teams to significantly reduce vendor risk by quickly inventorying vendors, performing security reviews, and remediating issues — all in the same platform they use for security and compliance today. Vanta closes the loop on the security lifecycle from start to finish. With our shared commitment to reimagine and deliver a more secure cloud, we couldn’t be more thrilled to join Vanta in its next phase of growth.” In addition to its product and partnership acceleration in 2023, Vanta’s innovation has been recognized across a range of rankings and awards including securing the #17 spot in CNBC’s Disruptor 50, Inc’s Best Workplaces and the Fastest Growing Cybersecurity Company by the Cybersecurity Excellence Awards. “The investment in Vanta reflects our commitment to intelligent automation and sophisticated technology that helps organizations navigate an ever-changing world,” said Michael Magaro, Senior Vice President of Corporate Growth, Workday Ventures. “As the strategic capital arm of Workday, trust and transparency are values that are ingrained in everything we do at Workday Ventures. Vanta is well-positioned to evolve the rapidly changing trust and security industry, and we look forward to partnering with them as they continue their journey to safeguard organizations and consumers everywhere.” In 2022, Vanta raised $150 million in funding from leading investors Craft Ventures, Sequoia and Y Combinator and security industry pioneers like CrowdStrike, bringing the company’s total amount raised to $203 million at a $1.65 billion valuation. About Vanta Vanta is the leading trust management platform that helps simplify and centralize security for organizations of all sizes. Over 5,000 companies including Autodesk, Chili Piper, Flo Health, and Quora rely on Vanta to build, maintain and demonstrate their trust—all in a way that's real-time and transparent. Founded in 2018, Vanta has customers in 58 countries with offices in Dublin, New York, San Francisco and Sydney. For more information, visit www.vanta.com.

Read More

Events