马克西姆斯 Increases Compliance 和 Reduces Risk Across All Public Clouds With Rapid7 云安全

在整个企业中执行标准的困难

马克西姆斯 has two models for 支持ing its hundreds of AWS 和 Azure  projects:

• 第一个是共享服务模型, 哪些项目依赖于IT组织来构建, 支持, 维护他们的基础设施, 操作系统, 和应用程序. 
• 在第二种情况下，项目团队实践自助的DevOps. They own the process of building, deploying, maintaining, 和 支持ing the product, end to end.

马克西姆斯的安全架构团队, 哪个部门直接向首席信息安全官报告, 确定云标准. “我们的目标是确保我们的标准和环境得到遵守, 账户, 资源是兼容的,Jon Powers说道。, 安全架构高级经理. But enforcing st和ards across the entire enterprise with hundreds of AWS 账户 和 Azure subscriptions 和 different 支持 models was very challenging.

Bridgeman的CCoE团队在CIO办公室内运作. It is responsible for enforcing all written compliance 和 security st和ards in an automated way to enable the project teams to move securely with speed. They have implemented 和 enforced their internal security st和ards 和 st和ards from industry frameworks like NIST 800-53, 独联体, 和AWS基础知识.

“Written st和ards are difficult to consume when you need to build AWS 和 Azure infrastructure resources quickly, 在整个企业中使用不同的工具和自动化,布里奇曼解释道. “We were trying to do it through AWS native tooling, primarily AWS Config, but it had limitations. 和 it didn’t allow us to enforce auto-remediation the way we can take action with InsightCloudSec today.”

强大的功能和易用性:无与伦比的组合

正如布里奇曼解释的那样，马克西姆斯并不想建立自己的解决方案. They chose Rapid7 because it provided all the functionality they required, including:

• Consolidated visibility of active cloud resources running across multi-cloud environments consisting of AWS 和 Azure.
• Continuous monitoring 和 assessment of compliance against customized organizational security st和ards 
• Real-time detections of compliance state changes resulting from new builds 和 configuration changes that make existing resources non-compliant within minutes of a change occurring.
• The ability to both manually 和 automatically enforce compliance 和 update configurations 和 access permissions of non-compliant resources.

Ultimately, Bridgeman cites ease-of-use as the deciding factor in selecting Rapid7 InsightCloudSec. Rapid7的云解决方案不仅可以轻松扩展, but Rapid7’s GUI means that less experienced technical 支持 folks can navigate it. 和 the ability of InsightCloudSec to integrate with Splunk allows us to enrich our data 和 display it in consumable dashboards for Security, IT, 项目所有者.”

结果

Rapid7对马克西姆斯的安全环境产生了积极的影响. It’s unified their security st和ards in a consistent way, across all AWS 和 Azure 账户. 马克西姆斯 has already begun using auto-remediation bots where needed (where remediation steps weren’t being taken by the account owner themselves). 和, Bridgeman says that Rapid7 has provided them a more holistic view of what their compliance looks like—across their entire footprint. 

今天，马克西姆斯的亚马逊网络服务(企业主付款人账户)是:

• 监控44,000多个不同的AWS资源
• 通过80+ Insights监控100,000K+ Microsoft Azure资源
• Has 30+ insights/bots monitoring their environment with automated remediation abilities
• 在实施InsightCloudSec后的头两周内纠正了550多个发现

可靠的数据提高合规性

“Perhaps the most important success story is the simple fact that with Rapid7 we now have a tool that we can trust,布里奇曼说. “我们相信InsightCloudSec提供的数据. That confidence has in turn given the account owners across 马克西姆斯 和 our different business divisions more confidence in the recommendations that we’re presenting them. One of the problems we had before is it was always, ‘Oh, it’s a false positive. 继续前进.但是现在, 实际上，我们能够提供更多关于这些发现的数据, 这是真的, 真的很有帮助.”

“Rapid7 has definitely decreased our risk 和 brought us to a much more consistent state where everybody is working from the same page 和 are very aware of the st和ards. 他们可以看到它. 他们知道InsightCloudSec正在监控合规性，”布里奇曼总结道.

Not only has the total compliance score under their Corporate Master Payer Account improved, 但现在护栏是通过自动化来实施的, 减少不兼容资源的数量. 资源 which are built in a non-compliant way are automatically remediated, 禁用, 删除, 或标记. 

“我们现在有人在构建更合规的资源. 和,they’re taking action on the non-compliant resources much quicker because they’re getting alerted 和 notified. 我们对环境有了更好的了解, 现在，我们可以把它传递给我们的行政领导层. 

底线:安全性提升了客户体验

最大的收获? Perhaps that the security posture of 马克西姆斯 aligns with the firm’s strategic growth pillars–elevating the customer experience. 换句话说, 他们获得了更高的满意度, 表演, 以及智能自动化和认知计算的结果.