A new cloud management platform wants to embed security into the development process before any code hits production.
Sachin Aggarwal, founder and CEO of Accurics, describes his new company as a “code to cloud” system that will prevent infrastructure drift and ensure compliance. He said that companies often create their own security risks when developers who usually write application code and business logic take on cloud projects.

“They are writing infrastructure code without understanding exactly what they are building,” he said.

Accurics launched the new cloud management tool today and announced $5 million in seed funding from ClearSky Security, WestWave Capital, Firebolt Ventures, and Secure Octane. Robert Hein, CISO and operating partner at ClearSky Security, said his company invested in Accurics because the startup addresses the greatest challenges in cloud computing.

“This is a complex equation with many variables—the technology must monitor vast amounts of code and make necessary changes while ensuring compliance without hampering production—and the Accurics platform rises to that high standard,” he said.

Paula Musich, research director, security and risk management at Enterprise Management Associates, said a piecemeal approach to securing cloud infrastructure makes a complex task even more difficult.

“What’s needed is a single tool to manage risks and policy violations early in the DevOps lifecycle and ensure that the original configuration intended by the developer remains true and secure once it leaves their hand and goes into production,” she said.

SEE: How to build a successful career as a cloud engineer (free PDF)

After a cloud project is launched, application owners make changes to the underlying infrastructure to improve the product and add new features. This “configuration drift” can include opening a new communication port, changing access privileges, or creating a new storage bucket. Even when these changes are valid, they can introduce new security vulnerabilities.

Accurics’ goal is to reduce risk before a cloud infrastructure project goes live and then reduce drift or at least make sure any required changes don’t introduce new risks or cause compliance issues.

Aggarwal said that the Accurics approach to building cloud infrastructure is in response to the immutable infrastructure trend that means a project has to be destroyed instead of merely changed.

Neil MacDonald, vice president and distinguished analyst at Gartner, said the concept of immutable infrastructure has gained traction as a way to better scale the management and security of cloud-native applications.

“This means you don’t change applications, operating systems or other infrastructure once they are deployed into production,” he said. “If you need to make a change, you do it in development and then push the change out into production.”

By monitoring production systems automatically for unexpected drift, the IT team can enforce this but the question is where to establish the baseline of what is expected for a particular instance.

“The answer is to do this in the development process – to analyze and learn the intended state before the application or service is deployed into production and then monitor and enforce this once it is placed into production,” MacDonald said.

SEE: Hybrid cloud: A guide for IT pros (free PDF)

Upa Campbell, chief strategist and marketing officer at Accurics, said the new product is basically the opposite of a point solution for cloud security.

“Different cloud security tools have popped up to solve these issues but at some point you have to step back and look at the entire picture,” she said.

After the initial code review for security and compliance, Accurics continues to monitor changes to the code in production to prevent drift.
“If someone makes a change that infuses risk we detect that and a developer can roll back to the last known secure state,” Campbell said.

In addition to code review, Accurics creates a map of a company’s cloud infrastructure, across a full cloud stack, including serverless, container, and platform technologies. Campbell said that verifying compliance after code is in production is too late.

“The right way is to find the violations earlier in the development lifecycle and run the checks during development when the code is being written,” she said.

This pre-launch review also provides breach path prediction to reduce the attack surface for a cloud deployment.

“We build a threat model based on current topology to identify design risks so that devops can go in and fix that before the infrastructure gets pushed to production,” Campbell said.

The Accurics platform also includes these features:

  • Configuration management database: Code assurance: Continuously scans code files such as Terraform, Kubernetes YAML, Dockerfile, and OpenFaaS YAML for misconfigurations and violations of common compliance and cybersecurity practices, including SOC 2, GDPR, PCI, HIPAA, ISO, CIS Benchmark, AWS Best Practices, and the AWS well-architected framework
  • Identity access and management governance: Identifies identity access and management (AIM) roles in the cloud and production, and flags instances that are too permissive
  • Remediation: Issues are immediately flagged via alert management mechanisms such as Slack, JIRA, Splunk, webhooks and email, and addressed via integrations with security orchestration and automation (SOAR) tools

Aggarwal said that the Accurics code review process is designed to fit into a company’s existing development lifecycle without introducing any new steps.

“You put your code to the repository and then we’ll analyze your code in our cloud and suggest an easy way to remediate any problems we identify,” he said.

The Accurics platform is available now. The developer edition of the platform is free.

Image: sigoisette, Getty Images/iStockPhoto