Prancer: August 2020

Monday, 31 August 2020

SAAS Solutions

Prancer, a company that provides clients with a framework to validate resources that they deploy to the cloud, is excited to announce a long list of new features that are now a standard part of the prancer cloud, their SaaS solution. These new features further expand Prancer’s capabilities for cloud security and make the platform the pioneer of cloud compliance checks.

Prancer is dedicated to meeting the needs of enterprise businesses. They provide solutions for all the major cloud providers, including Azure, Google, and AWS services. Prancer provides pre-integrated compliance tests. These compliance tests are based on industry standards and include CIS, CSA CCM, HIPPA, ISO 27001, and many other available compliance tests.

To facilitate leveraging the prancer cloud validation framework for companies, prancer offers a free tier in the SaaS offering so that users can run a proof-of-concept before committing to the product. Businesses can integrate that to their DevSecOps process and validate their Infrastructure as Code (IaC). This will allow teams to better understand how prancer cloud can help their business with the aid of their pre and post-deployment compliance tests. Once users have experienced prancer, they can choose the right service tier based on their needs and their budget.

Prancer recognizes the power that Azure, Google, and AWS have in transforming the business world through advanced cloud platforms. That is why all of their SaaS tools are designed to work with these platforms and allow businesses to do even more than they thought possible. Users can enjoy better cloud governance and infrastructure as code that supports their DevOps and IT teams. These new features will seamlessly integrate with existing DevOps pipelines and allow users to write compliance queries based on the Open Policy Agent (OPA) query language. Spend less time worrying about managing software and data centers and more time focusing on business requirements.

As technology advances and more companies rely on cloud solutions, security becomes an increasing concern. With prancer SaaS, businesses can fully run compliance tests and scan codes before they are deployed to the cloud. No valuable data will be exposed to vulnerabilities because they are being fully vetted and confirmed as safe. Users can feel confident that they are protecting all their resources while also taking full advantage of all the benefits of the cloud.

The addition of these latest features to the prancer suite of tools and solutions again highlights the company’s commitment to staying ahead of the competition and empowering customers to reach new levels of success through technology.

About Prancer

Prancer Enterprise (https://www.prancer.io) was created with the goal of providing any size business with a cloud validation framework that enables cloud governance and multi-cloud validation compliance. By understanding the needs of today’s clients, creating innovative solutions, and collaborating through open-source networks, we are working to make cloud technology more secure and versatile.

To learn more about Prancer and how we can help your company, contact us today.

Monday, 24 August 2020

Immutable IaC and DevOps

The traditional mutable approach to infrastructure causes delays in the DevOps pipeline. Dependencies can make application deployments difficult and human innovation is actually slowed down by technology. Immutable IaC creates consistent environments that allow for automated testing and deployment that accelerates the DevOps process and eliminates delays and clogs in the pipeline.

With immutable IaC, teams don’t have to worry about manually validating changes. Everything can be handled through a continuous delivery pipeline that automates all the deployment and testing requirements. New applications can go online faster and all the usual risks associated with change can be eliminated.

Just because mutable infrastructures have been the standard doesn’t mean that they are the best solution. IT teams may be reluctant to let go of their manual update responsibilities, but automating tasks ultimately create more time and space for them to work on true innovations that can push the company forward.

If you have more questions about the benefits of immutable IaC and how you can implement this approach at your business, contact the experts at prancer. We specialize in cloud validation frameworks that support continuous compliance. We can provide you with advice, support and tools you need to take full advantage of cloud computing and IaC.

Monday, 17 August 2020

Infrastructure as Code Security and Compliance Approaches

In the past, cloud security practices relied on developers catching misconfigurations, identifying risks, and compliance violations after the system has already been provisioned and is essentially up and running. While this is certainly an effective approach for implementing and managing IaC, it can also be time-consuming. Developers are put in a position where they have to fix mistakes when they should be focusing on the creation and feeding of new ideas into the DevOps pipeline. This is changing as security mores “towards the left.

Shifting Security to the Left

If you have been keeping up with IaC news, you may be coming across the idea of shifting security to the left. Essentially, this means that organizations are working to change the relationship between developers and security professionals in order to improve both security and productivity. The best way to achieve this is by making sure that cloud security is a part of the CI/CD process. It is also important to thoroughly evaluate IaC templates so that they are addressing the compliance and security issues that can sometimes be ignored until runtime.

This shift helps to create a more collaborative relationship between security and developers. Security concerns can be addressed at the right time and place without interrupting the workflow. Traditionally, even a small misconfiguration could trigger compliance issues. Security teams would have to spend time trying to isolate the source of the problem before determining who on the DevOps team should be contacted in order to initiate the remediation process.

Improving Security and Productivity

IaC helps companies avoid these types of delays and improve productivity. Instead of having to create tickets, users can write code to build a template that automates aspects of the CI/CD process. The declarative language style of certain IaC tools makes it easy to balance loads, monitor compliance issues, and implement security controls. With IaC, companies aren’t forced into taking a reactive stance when it comes to security. Instead, they can be preventative and proactive by tackling security during the development process.

Perhaps the best way to move security to the left with IaC is to have security professionals create security guardrails that check the developer’s work and can integrate into their development and testing process. All testing should be used for a more comprehensive view of security risks. From there, developer’s tools need to be able to provide the right security guidance so that they know what steps to take when IaC reveals a security issue.

Benefits of IaC

If security and compliance can become better aligned with DevOps, there are a host of benefits. First and foremost, security risks and compliance issues won’t be put off to run time. Developers will also be more productive and experienced with resolving security issues with the help of IaC templates and automated tools. Finally, security and development will be more connected, which will help create better processes, collaboration, and job satisfaction.

To learn more about how IaC is powering today’s DevOps while also shifting security to the left, contact the experts at prancer. We are proud to help companies with cloud validation frameworks that support CI/CD.

Monday, 10 August 2020

State of DevSecOps Report' for Summer 2020

Accurics has just released the latest erosion of its “State of DevOps” reports for the summer of 2020. This report looks at the different types of security challenges that are emerging as more companies adopt cloud technology and Infrastructure as Code (IaC). While the report shows that cloud breaches have the potential to increase in number and scale in the coming months, the study also suggests concrete steps that can be taken to avoid these problems while still taking full advantage of IaC.

Most Common Security Challenges

1- Cloud misconfiguration. While cloud misconfiguration isn’t necessarily an emerging threat, it is clear that companies have yet to adequately address this issue which means that it will occur more often and on a larger scale in the future. According to the study, a full 93% of cloud deployments that were studied contained at least one instance where an entire storage bucket was left completely exposed.

Businesses weren’t just failing to use multiple-authentication processes, they were leaving areas without any protection at all. This is somewhat surprising in a time when we now know about the importance of security and compliance and there are simple ways to protect sensitive data.

2- Routing misconfigurations. The report cites misconfigured routing rules as the biggest risk factor across the board. According to their analysis, in 100% of cases of deployment, changing one of the routing rules was enough to expose a subnet. Small challenges to the configuration resulted in sensitive data being compromised. Malicious actors could easily exploit these vulnerabilities.

3- Alert fatigue. One of the advantages of cloud technology and IaC is that companies can automate alerts and be notified when there is any abnormal activity. When this is combined with manual monitoring and resolution, companies are able to quickly identify and fix problems. However, a constant stream of alerts can create fatigue and make IT teams less motivated to investigate every alert.

Remediation as Code has been introduced as a solution to alert fatigue. It allows teams to automatically generate the code necessary to address problems. In test cases, Remediation as Code is able to resolve 80% of all risks and help eliminate a constant stream of alerts.

4- Hardcoded keys. While there are plenty of key management tools and services available, businesses continue to use hardcoded keys. In many cases, unprotected credentials were stored and used in deployments. Since most businesses attach high-level privileges to these keys, this can create the opportunity for major breaches that have the potential to expose a long chain of resources. Simply using key vaults, avoiding hardcoded keys and rotating access keys can prevent this problem.

Fortunately, Infrastructure as Code (IaC) can help mitigate many of these problems. IaC allows businesses to build security code during the development phase before the infrastructure is provisioned. This is an effective way to reduce vulnerabilities and create a more automated, scalable and responsive system that is equipped to handle existing and emerging security threats. IaC can serve as a baseline that can always be deployed as necessary. If a significant change to the IaC needs to be made, it can be implemented quickly in a way that creates a new baseline. This provides a highly adaptable system that can prioritize security without slowing down the development pipeline.

For more information about IaC, cloud technology, and how you can use these tools while still ensuring compliance and security, contact the experts at prancer today.

Wednesday, 5 August 2020

What is Mutable vs. Immutable Infrastructure?

As Infrastructure as Code (Iac), Internet of Things (IoT), big data and cloud computing become the new standard in IT and business best practices, infrastructures are becoming immutable. This marks a major shift from traditional modes of operation and is worth taking a closer look at.

Before we dive into specifics and understand the benefits of immutable IaC systems, let’s take a moment to review and define key terms. If you aren’t familiar with the term mutable, it refers to something that is prone to change and is easily mutated. Immutable, on the other hand, describes something that is not capable of change.

Mutable IaC

When it comes to IaC, mutable refers to an infrastructure that needs to be constantly updated and changed in order to continue to meet the changing needs of the business. This means that IT professionals have to individually address each server and switch, which can translate into long hours spent identifying problems and coming up with solutions instead of taking the time to rebuild the system in a way that removes any quirks. Since each component is different and requires a unique approach that can often only be performed by one person, the servers are sometimes referred to as snowflakes.

As you may imagine, this approach can be problematic. Mutable IaC creates a situation where only certain IT professionals can address problems. If something goes wrong and that individual isn’t available, there is no way to quickly respond to glitches in the system. While this model created an environment where IT staff felt more needed and valuable, it wasn’t necessarily in the best interest of overall operations.

The other problem with the mutable infrastructure is that over time, businesses may face configuration drifts. For example, let’s say that you are dealing with 10 app services and over time, you are adding various configuration changes to those app services. It is very possible that each of those app services accumulate various executables stacked on each other to provide the required function. This is something to consider when thinking about how a mutable IaC may affect your project in the long run.

Immutable IaC

Immutable IaC represents the future by requiring that each component is built according to exact specifications. There is no room for small deviations that have to be individually addressed. Once a change is required, the infrastructure is provisioned according to the new requirements and the old IaC is taken out of commission.

This same approach is being used with other forms of technology. Consider phones that are equipped with batteries that can’t be replaced. Instead of upgrading the device, you have to purchase an entirely new phone. While this may seem like a waste, it actually provides a level of consistency that makes it easier to provide support. The same is true when it comes to immutable IaC.

Immutable IaC is largely made possible by the advent of virtualization. This tool uses cloud computing to virtualize both hardware and software so that businesses don’t have to worry about provisioning and removing obsolete hardware every time a change is needed. Instead, businesses can document all the steps and requirements involved in creating resources, create code scripts that can assemble the components as outlined in the documentation and automate the entire process. IT teams can also track and record changes for an immutable IaC that can be easily understood and updated by the entire team.