Which vendor or tool is your preferred for cloud security? One tool will never suffice, but as we expand to cloud development, we are looking for code to cloud security, SDLC, vulnerability testing, secdevops, etc.

CloudSecurity & GRC
1.9k viewscircle icon2 Comments
Sort by:
VP of Information Security in Softwarea year ago

It depends what you are trying to cover, this is a broad topic. 
For IaaS: Cloud Security Posture Management Capabilities (CSPM). Some capabilities are native to the cloud provider, or you may consider other solutions (Orca, Wiz, Prisma, Laceworks, etc.) for multi-cloud. These tools are pretty good for vulnerability detection, misconfiguration, controls testing, etc.

If you are running DevOps or infrastructure as code, I've seen a neat product called Gomboc.ai that allows you define security policies and the tool will scan your code repositories (e.g. Github, Gitlab etc.) and will automatically create for the engineers pull requests with code to implement the security control. It saves fixing vulnerabilities later, and it is like having a virtual security engineer that helps your developers. 

There are other solutions for Cloud Detection and Response (CDR), which seems to be a newish category. 

Lastly, the CSPMs are constantly adding these capabilities to their "platform", some are good, others not so much but you can take a look and see if what they provide is good enough or if some dedicated tools are better for your use cases

Lightbulb on1
CIO in Governmenta year ago

Different regions may have different requirements. It's important to know what cyber framework your vendor is compliant with (i.e. NIST, Essential 8, ISO27001, etc.). Also, you get a lot of out of the box /in-built security features with your cloud hosting provider such as Azure, AWS, etc.  Data sovereignty is another critical one to review when assessing vendor/tools. 

Content you might like

Do you have a lock out policy for system accounts? If so, how many attempts do you have it set too? 

Have you considered not having a lock out policy where accounts are vaulted / rotated & standing access is removed?

We’re using Nextcloud for most of our data storage and collaboration, and Microsoft 365 E3 for email and productivity. As we work toward compliance with the NCA’s Data Cybersecurity Controls, we’d like your help assessing:
• What security capabilities in Nextcloud (e.g., access control, encryption, logging, watermarking, DLP) support DCC compliance?
• Where Microsoft 365 E3 can help fill any gaps—especially for classification, watermarking, DLP, and audit/logging?
• Any recommended Nextcloud apps or configurations that can accelerate compliance?
We’re working under tight timelines, so a prioritized list of quick wins and a roadmap for deeper integrations would be very helpful.

Read More Comments

How is your company currently utilizing edge computing?

Production data analysis19%

Equipment data analysis (capacity, etc.)59%

Part of overall equipment effectiveness analysis16%

Other (share below)4%

View Results

It's been announced that Windows 11 will be serviced on a monthly basis, similar to Windows 10's infamous "Patch Tuesdays". What's the ideal service cadence for this OS?

Updates should be released daily.10%

Updates should be released weekly58%

Updates should stay monthly.22%

Updates should be pushed quarterly.8%

Other (comment below)

View Results

As part of our NYSE IPO prep, we’re debating how to communicate our system hardening efforts in regulatory disclosures (e.g., SEC Form 20-F, SFC).

Would you recommend sharing % compliance (e.g., “85% CIS Tier 2”) or sticking to qualitative descriptions of how we identify and mitigate risks? Also, do SFC/ISO 27001 expectations require full ISMS integration, or is a % model acceptable?