Keywords: multi-cloud management, agile development
About the Company
DisruptOps Inc., founded in Kansas City, Missouri in 2014, is committed to enhancing the security of operations in the cloud by providing automated protection for multi-cloud infrastructure and implementing continuous monitoring and control of cloud infrastructure. In October 2018, the company secured USD 2.5 million seed round investment led by Rally Ventures.
Background
In the past few years, public clouds have gained momentum for fast growth around the world and a large number of small and medium-sized companies have begun to embrace cloud computing. However, public cloud providers’ technical and security capabilities have been the biggest concern for customers to put their business in the cloud. In response to this, multi-cloud architecture emerges as a next-generation IT architecture for cloud computing, on which users can use resources from different public cloud providers as well as private clouds to achieve business goals. This can effectively improve the availability of public cloud infrastructure while reducing the vendor lock-in risk.
However, operations teams, when managing such complex, large-scale mixed cloud environments, will be appalled by the soaring operating expenses (OpEx). Besides, agile development has gained ground among developers, leading to more and more systems being developed in clouds and featuring reused operations. As DevOps is becoming a new normal in cloud application, inconsistent configurations across environments will definitely result in a marked increase of security risks. Common security issues include unauthorized access to data in storage systems, accessibility of internal networks to outsiders caused by improperly configured security groups, and a waste of money resulting from allocation of excessive resources. An example of these issues is a joint intelligence department of US Army and National Security Agency (NSA) found in 2017 to store top secret files on Amazon S3 storage buckets that were publicly accessible. These misconfigured S3 buckets allowed any users to view contents stored in an AWS subdomain named “inscom” as long as they typed the correct URL. This subdomain contained 46 files and directories, three of which could be downloaded without any restriction.
It would be inefficient and ineffective to cope with these challenges manually. DisruptOps implements a customizable best practices library to ensure consistency and security, enabling DevOps teams to migrate fast, free of risk, to achieve automated management of clouds.
Products
DisruptOps provides a SaaS-based cloud management platform to implement automated control of cloud infrastructure. Through continuous assessment and enforcement of security, operational, and economic guardrails, enterprises can benefit from the agility, speed, and innovation offered by cloud computing while maintaining operational control.
Security Guardrails
The DevOps mindset pushes developers and operations teams to move faster, deploy faster, and adapt faster. Security should not get in the way or slow the process. Security Guardrails automatically enforces security best practices, not just spotting misconfigurations and attacks, but fixing them usually before users know that there is a problem. This enables DevOps teams to move fast free of risks.
Specifically, Security Guardrails provides the following functions:
(1) Identity and access management (IAM). Identity policies are extended consistently across the cloud to eliminate excessive privileges.
For example, in services such as S3 and EC2, it requires multi-factor authentication (MFA) for console users with API and command line access, and removes unused IAM users and roles, excessive privileges, and unused default virtual private clouds (VPCs).
(2) Monitoring. Logging and alerting are set up consistently across multiple accounts to ensure full visibility of all cloud activities.
For example, it provisions configurations with best practices, sets AWS log rotation and archiving, implements centralized configuration monitoring, implements centralized alerting, and creates security group change alerts.
(3) Networking. Proper network access policies are enforced to ensure proper configuration of security groups, thus minimizing the attack surface.
For example, it locks down default security groups, locks security groups to current settings, assesses or restricts VPC peering, finds security groups with excessive permissions, and enables VPC flow logs.
(4) Storage. Critical data stored is protected by automatic enforcement of policy-based tagging, access, and encryption rules.
For example, it restricts S3 buckets to known IP addresses, identifies public S3 buckets without proper tags, identifies public S3 buckets, and uses KMS keys to encrypt S3 buckets.
Operations Guardrails
Mature cloud organizations implement shared services across all their cloud environments, including monitoring/logging, IAM, and backup. Operational Guardrails implements best practices for these shared services at scale without requiring scripting or any homegrown solutions.
For example, although the AWS allows users to change the type and size of resources on the console, this is not programmatically available. The Trinity API can be used to adjust the size.
Another example would be automatically snapshotting instances on a schedule by using a tag scheme. Moreover, older snapshots can be migrated to Glacier for cost savings.
Economic Guardrails
Development teams are focused more on how to build more applications and deploy them faster. But they have no clear incentives to turn off resources that are not used, making cloud costs spiral out of control. Economic Guardrails uses pre-built policies to shut down unused cloud resources, saving users’ money without impacting the effectiveness of the developers or requiring homegrown scripts.
For example, it uses tags to shut down development and other instances outside of business hours to save costs; adjusts autoscale configurations to reduce off-hours and period costs; reduces the instance size according to instance utilization to save costs; analyzes S3 bucket usage and optimizes them to the right storage tier to reduce costs.
Product Features
The DisruptOps cloud management platform finds and fixes security, operations, and cost management issues at scale, regardless of the size of clouds. It has the following features:
- Continuous Assessment
Developers constantly change things. Operations teams continuously change things. And with each change, they run the risk of violating corporate security policies and straying from best practices. Thus they want to continuously monitor and assess your environment to find violations and then take a variety of actions.
DisruptOps Guardrails maintains a multi-account inventory of all cloud resources, assigns tags to those resources, and supports separate policies based on the tags. For example, users can implement different security policies for their development and production environments. With this kind of flexibility, DisruptOps allows developers to move fast and the operations team to enforce the best practices.
- Automated Enforcement
After identifying issues, DisruptOps provides many options for remediation. Guardrails can be automatically enforced, making changes to move the environment back to the best practice configuration. Better yet, DisruptOps Guardrails is production tested and maintained, unlike many of the scripts O&M teams have built to enforce the policies.
- Guardrails, Not Blockers
The prime directive for cloud security is not to slow down the DevOps process. That said, users need to protect corporate data and enforce security policies and best practices. Guardrails do not block activity; rather they enforce the policies as intended. Users can set whitelists and blacklists for resources where the guardrails do not apply.
For example, if admin access is opened for a security group, the group is not blocked since that would prevent administrators from doing their jobs. Instead, DisruptOps sets the policy only to allow connections from authorized corporate IP ranges. Likewise, if an administrator account requires AWS MFA and that is turned off, as opposed to preventing all access (and taking the admin offline), DisruptOps will reset the policy to require MFA.
- Quickest Path to DevSecOps
Today adding “Sec” to the DevOps process involves a lot of manual effort to build, test, and maintain scripts. With DisruptOps Guardrails, no programming is necessary. Provisioning happens via a one-click process and Ops are implemented and managed via an intuitive user experience. DisruptOps provides reporting and supports role-based access control to ensure only authorized parties can make changes to the parts of the cloud they manage.
- Support for Cloud Best Practices
DisruptOps can help users implement multi-account strategies and provide Guardrails to follow cloud security guidelines and benchmarks from organizations like CIS. Additionally, many of DisruptOps’s policies result from the hands-on design and architecture work of the company’s founders, who have many years of experience helping organizations implement world-class cloud security and operations.
- Adherence to Least Privilege
The security canon of least privilege is religion within DisruptOps. The company always assigns only the least amount of privilege required to complete an action, and then removes those privileges once making the change. The company manages privileges aggressively and continuously to ensure that no additional attack surface results from automating critical aspects of users’ cloud security and operations.
- Cloud Native
DisruptOps was built in the cloud, for the cloud and utilizes cloud best practices, including multiple account structures, encryption everywhere, platform as a service offering, and heavily leverages APIs, containers, micro-services, and function as a service. This approach both minimizes the attack surface of the company’s application and allows instantaneous integration with their cloud environment. The founders of DisruptOps have been advocating for cloud-native architecture for close to a decade.
- SaaS Delivery
DisruptOps is delivered as a SaaS service, meaning there is no software to install in users’ environment. The innovative one-click provisioning process and a built-in library of Ops ensures that users no longer have to dedicate resources to implementing, building, updating, patching, or re-sizing their Guardrails. So users can get back to building and operating their cloud and DevOps environment.
Summary
Multi-cloud and agile development are hot topics in cloud computing. DisruptOps offers SaaS services. By rapidly detecting and automatically remediating security issues and operational inefficiencies existing in multi-cloud resources, DisruptOps helps customers reduce costs of putting their business in clouds and implements continuous security control of the cloud infrastructure, thereby bringing impressive gains to customers in the aspects of security, operations, and cost. In addition, the automation and service orchestration technologies facilitate the implementation of cloud-native applications and DevSecOps.