The primary cause of misconfigurations is that they are possible. Developers are under constant pressure to produce at speed, cloud service providers (CSPs) need to make their services easy to use or lose customers to competitors, they continually introduce new features and services, and security teams are often unaware of the detail of interaction between the company and the CSP.
“We offer something that is prevention first and detection second,” said Neil Brown, co-founder and VP of operations at Kivera. “We catch the risk before it is created rather than find it later.” The result is a set of configuration policies that can be enforced during development. “It means the developers can push forward at speed because any configuration policies will be caught by the guardrails established by company policies enforced by Kivera.”
He added, “Cloud security teams are swamped in a backlog of alerts, and they deserve to get out of triage mode and take control of their cloud security by preventing risk up front. When dealing with sensitive workloads, the consequences of a single mistake, such as accidentally exposing a resource to the internet, can be considerable.”
He provides encryption as an example. “Let’s say I want to build a virtual machine, but haven’t included encryption. Kivera will capture this and say, ‘hey, this machine is exposed to the internet and our company policy says it must be encrypted.’ So, Kivera will recognize the error and enforce preventive controls at build time — we’ll stop risks before they get into the cloud environment. We block the process and send a message to the engineer so that the configuration error can be fixed.” The problem never reaches AWS or Google Cloud or Azure.
While each customer can develop its own policies, Kivera “has thousands of ‘out-of-the-box’ policies already embedded in pre-made policy packs,” he added. “They’re aligned with common frameworks such as NIST 853 or the CSA Cloud Controls Matrix and other compliance standards.”
Accidental – or not so accidental – attempts to bypass the Kivera controls through remote working are enforced at the CSP end. All CSPs have a native identity and access management authorization solution. Kivera uses this – if the attempted engineer access does not come through Kivera, it is simply blocked.
Kivera was originally founded in Sydney, Australia by Neil Brown (VP of operations), and Vernon Jefferson (CTO) in 2019. Joe Lea, board member at Viakoo and strategic advisor to AI EdgeLabs and SecureX.AI, joined as CEO in June 2023. The firm has relocated its headquarters to New York to better serve the North American market.
Related: These Are the Top Five Cloud Security Risks, Qualys Says
Related: Most Weaponized Vulnerabilities of 2022 and 5 Key Risks: Report
Related: Companies Still Exposing Sensitive Data via Known Salesforce Misconfiguration
Related: Survey Shows Reasons for Cloud Misconfigurations are Many and Complex
