马克西姆斯 Increases Compliance 和 Reduces Risk Across All Public Clouds With Rapid7 云安全

在整个企业中执行标准的困难

马克西姆斯 has two models for 支持ing its hundreds of AWS 和 Azure  projects:

• 第一个是共享服务模型, 哪些项目依赖于IT组织来构建, 支持, 维护他们的基础设施, 操作系统, 和应用程序. 
• 在第二种情况下，项目团队实践自助的DevOps. They own the process of building, deploying, maintaining, 和 支持ing the product, end to end.

马克西姆斯的安全架构团队, 哪个部门直接向首席信息安全官报告, 确定云标准. “Our goal is to ensure that our st和ards are being followed 和 environments, 账户, 资源是兼容的,Jon Powers说道。, 安全架构高级经理. But enforcing st和ards across the entire enterprise with hundreds of AWS 账户 和 Azure subscriptions 和 different 支持 models was very challenging.

Bridgeman的CCoE团队在CIO办公室内运作. It is responsible for enforcing all written compliance 和 security st和ards in an automated way to enable the project teams to move securely with speed. They have implemented 和 enforced their internal security st和ards 和 st和ards from industry frameworks like NIST 800-53, 独联体, 和AWS基础知识.

“Written st和ards are difficult to consume when you need to build AWS 和 Azure infrastructure resources quickly, 在整个企业中使用不同的工具和自动化,布里奇曼解释道. “We were trying to do it through AWS native tooling, primarily AWS Config, but it had limitations. 和 it didn’t allow us to enforce auto-remediation the way we can take action with InsightCloudSec today.”

强大的功能和易用性:无与伦比的组合

正如布里奇曼解释的那样，马克西姆斯并不想建立自己的解决方案. They chose Rapid7 because it provided all the functionality they required, including:

• Consolidated visibility of active cloud resources running across multi-cloud environments consisting of AWS 和 Azure.
• Continuous monitoring 和 assessment of compliance against customized organizational security st和ards 
• Real-time detections of compliance state changes resulting from new builds 和 configuration changes that make existing resources non-compliant within minutes of a change occurring.
• The ability to both manually 和 automatically enforce compliance 和 update configurations 和 access permissions of non-compliant resources.

Ultimately, Bridgeman cites ease-of-use as the deciding factor in selecting Rapid7 InsightCloudSec. Rapid7的云解决方案不仅可以轻松扩展, but Rapid7’s GUI means that less experienced technical 支持 folks can navigate it. 和 the ability of InsightCloudSec to integrate with Splunk allows us to enrich our data 和 display it in consumable dashboards for Security, IT, 项目所有者.”

结果

Rapid7对马克西姆斯的安全环境产生了积极的影响. It’s unified their security st和ards in a consistent way, across all AWS 和 Azure 账户. 马克西姆斯 has already begun using auto-remediation bots where needed (where remediation steps weren’t being taken by the account owner themselves). 和, Bridgeman says that Rapid7 has provided them a more holistic view of what their compliance looks like—across their entire footprint. 

今天，马克西姆斯的亚马逊网络服务(企业主付款人账户)是:

• 监控44,000多个不同的AWS资源
• 通过80+ Insights监控100,000K+ Microsoft Azure资源
• Has 30+ insights/bots monitoring their environment with automated remediation abilities
• 在实施InsightCloudSec后的头两周内纠正了550多个发现

可靠的数据提高合规性

“Perhaps the most important success story is the simple fact that with Rapid7 we now have a tool that we can trust,布里奇曼说. “我们相信InsightCloudSec提供的数据. That confidence has in turn given the account owners across 马克西姆斯 和 our different business divisions more confidence in the recommendations that we’re presenting them. One of the problems we had before is it was always, ‘Oh, it’s a false positive. 继续前进.但是现在, 实际上，我们能够提供更多关于这些发现的数据, 这是真的, 真的很有帮助.”

“Rapid7 has definitely decreased our risk 和 brought us to a much more consistent state where everybody is working from the same page 和 are very aware of the st和ards. 他们可以看到它. 他们知道InsightCloudSec正在监控合规性，”布里奇曼总结道.

Not only has the total compliance score under their Corporate Master Payer Account improved, 但现在护栏是通过自动化来实施的, 减少不兼容资源的数量. 以不兼容的方式构建的资源将自动修复, 禁用, 删除, 或标记. 

“我们现在有人在构建更合规的资源. 和,they’re taking action on the non-compliant resources much quicker because they’re getting alerted 和 notified. 我们对环境有了更好的了解, 现在，我们可以把它传递给我们的行政领导层. 

底线:安全性提升了客户体验

最大的收获? Perhaps that the security posture of 马克西姆斯 aligns with the firm’s strategic growth pillars–elevating the customer experience. 换句话说, 他们获得了更高的满意度, 表演, 以及智能自动化和认知计算的结果.