January 4, 2023

Last Updated on January 12, 2024

To make the most of a move to cloud-based workloads and cloud-native application development, enterprises need to address associated security and compliance challenges. The traditional “security by design” approach needs a rethink to sync with DevOps and “as code” pipelines.

To talk about “governance as code” and its implications for application security and compliance in the cloud, the latest episode of The Virtual CISO Podcast features Fausto Lendeborg, cofounder and Chief Customer Officer at Secberus.

Beyond Cloud Security Posture Management?

While Secberus competes in the cloud security posture management (CSPM) space, they have positioned their product to solve a wider problem.

“CSPM is a component of our platform,” Fausto clarifies. “But I think there are bigger problems to solve. There are challenges that enterprises are now starting to understand they need to solve for.”

With Secberus, governance is a top-down, business-oriented approach to solve the security and compliance challenges.

“We like to say governance is how the enterprise aligns their requirements, their risk, and their intent into security and compliance,” states Fausto. “Before we used to rely on security to provide governance. Put a tool in the engineering box, and eventually governance.”

But modern enterprise platforms are business-driven. So, governance must be business-driven and enabled by security and compliance—all working together simultaneously. It’s the ultimate “tone from the top.”

 

“We like to say governance is how the enterprise aligns their requirements, their risk, and their intent into security and compliance.”—Fausto Lendeborg

 

Governance as code

In a DevOps world, “everything is transitioning into an as-code stack,” portrays Fausto. “It’s about velocity and velocity is what got us here—the security problem and the cloud.”

Fausto argues that an as-code problem demands an as-code solution: “So when we started thinking about how can we build governance, security and compliance continuously to mitigate the risk that an as-code world brings, we needed to think about governance as code.”

 

“Everything is transitioning into an as-code stack.”—Fausto Lendeborg

 

Still secure by design

The driver for governance as code is the requirement for “a solution that doesn’t block the engineer from going fast and from building.” Traditional, “secure by design” approaches can’t clear this hurdle.

As John frames it, “Your policy [as code], is design. You validated that the design is secure. It’s a better form of security by design because you’re integrating security by design into the workflow.”

 

The joys of auto-remediation

Fausto acknowledges that historically many orgs have been unwilling to turn on auto-remediation in security products. Why not automatically fix an issue the moment you detect it?

“How can you fix something without understanding the impact,” Fausto inquires. “And you’re risking the problem of a false positive. If it’s a false positive and you break something, now you have a business risk.”

Instead of straight auto-remediation, Secberus detects the issue and then notifies the correct person.

“When you inform the right person of the problem, you now are cutting the investigation time by 100x,” points out Fausto. “In the typical security world, we used to send all the alerts to the security team. But the security team doesn’t have any context on the application they’re building.”

For Secberus, it’s key to understand who owns the application, so that when the platform detects security policy violations it can correctly route the notification.

 

“When you inform the right person of the problem, you now are cutting the investigation time by 100x.”—Fausto Lendeborg

 

False positives and alert fatigue

One of the biggest cybersecurity challenges enterprises face in the cloud is false positives and alert fatigue across their security tools.

“We are coming from a world where there are too many alerts and engineers are just turning these tools off because who can spend so much time investigating these alerts?” asks Fausto. “The pain that we combat the most is the operational challenges that these enterprises have in trying to eliminate alert fatigue and reduce false positive rates. Because if you can do that, your mean time to remediate gets shorter.”

When you turn on an enterprise security solution and point it at 500 cloud environments, you’re going to get 50,000 alerts. How do you manage that? You can’t auto-remediate everything, you can’t fix everything, and you can’t send the data to the SOC to investigate.

Secberus helps solve the problem by routing the alerts to the right people and then tracking how they’re handled.

 

“We are living in a giant lake of alert fatigue and we solve that by helping enterprises solve the operational challenge by routing the alert to the right person and tracking the entire process.”—Fausto Lendeborg

 

OOTB policies

When Secberus generates policy as code, it uses the REGO language.

“There was a huge project out of the Cloud Native Foundation called Open Policy Agent that built REGO and it has a huge community,” Fausto explains. “REGO is a very easy language to write for an engineer. With 4, 5, 6 lines of code, we can read or write through the logic.”

 

Secberus provides over 600 policies out of the box for customers to start with. Each of these can be cloned and edited and is completely customizable around factors like compliance regulations and risk severity.

“Create any custom framework, any custom logic, any custom process, and automation, and then do that multi-cloud.”—Fausto Lendeborg

 

What’s next?

To listen to this podcast episode with Fausto Lendeborg from Secberus, click here.