Security against cloud compromise

Horangi’s CEO and co-founder, Paul Hadjy speaks to Enterprise IT News about the latest findings from its recent cybersecurity report.

EITN: Horangi has published a report that 99-percent of cloud infra scans exposed security vulnerabilities. In your words, can you briefly share how these scans work?

Paul Hadjy

Paul: Warden continuously scans cloud infrastructure by directly integrating with the management APIs of the Cloud Service Providers. Customers onboard their cloud accounts or projects by providing read-only access to the metadata of their cloud infrastructure’s configuration. Warden then analyses this metadata, running it through rules to check for security and compliance risks such as overly permissive access controls or insufficient encryption.

EITN: Based on that report, what does the result of 99-per cent scanned vulnerabilities mean, in your opinion?

 Paul: I think that number is simply a reflection of the relatively early stage at which the industry is in terms of securing Cloud Infrastructure and of the complexity of doing so without the right expertise, automation and tooling. Those are exactly the problems that we are helping to solve with Warden. We have a lot of work ahead of us given how few weeks go by without a new breach being disclosed, affecting even the most sophisticated companies like Microsoft or Facebook.

EITN: When was Warden launched, and how has its tools and offerings evolved since then till now?

Paul: Horangi Warden was first launched in April 2019, and how time has flown! Warden has improved and refined in leaps and bounds since then, around key themes of depth, breadth, and usability.

Depth: Compliance has become an important part of Warden as we realised that meeting and reporting on compliance requirements was a significant pain point for our customers. We have added vulnerability management so users can adjust Warden’s findings to accurately reflect the uniqueness of their business by modifying the severity of issues or hiding those they accept the risk of.

We’re also very excited about Playbook remediations which give users an automated way of fixing vulnerabilities, saving them a lot of time spent on manual and more error-prone tasks.

Breadth: Warden has become a multi-cloud solution with support for Google Cloud Platform in addition to covering a larger number of AWS services, and we will be continuing down this path with more cloud service providers being added in 2021.

Usability: We have also been constantly improving the user experience of Warden to make it simple to use and accessible to users with any level of expertise in cloud, security or compliance. We see this as a key differentiator compared to traditional security tools that require in-depth training and significant time investments.

EITN: How do you work with partners like Tokio Marine Insurance and Athena Dynamics?

Paul: As a software and services company, Horangi has many partners. Most of those partners fall into two major categories. Our GTM Partners (Go To Market) help us get our products and services to market through partnerships similar to Tokio Marine, where we offer discounts to companies that use their insurance policies. We also have resellers like Athena, who resell Horangi’s products and services to customers.

EITN: Horangi seems to promote cloud-based security, which is what Warden, among other Horangi solutions may be. But doesn’t the fact that 99-percent scans expose vulnerabilities in cloud infrastructures, meaning that Horangi’s cloud-based solutions are not invulnerable themselves? How do you protect your solutions from compromise?

Paul: Horangi embraces the Shared Responsibility Model of cloud security by implementing cloud security validation and assurance throughout our software development process.

We achieve this by using Warden to inspect and validate our cloud security at the early stage of development, in isolated test environments without real data. As we implement full Infrastructure as Code, where all cloud resources are managed and provisioned through high-level descriptive coding languages and configuration files, we are able to continuously fix and harden our cloud security before releasing it into production. That practice significantly reduces our risk exposure without compromising on development velocity.

With Infrastructure as Code, we are able to deploy to production environments with ease and confidence that the cloud infrastructure matches our security baseline. Running Warden on our production environment provides continuous assurance against configuration drift and mismanagements.