Looking Back and Moving Forward With Rapid7’s Cloud Security Solution

This blog post was co-authored by Jamie Gale and Charles Stokes.

Done with Q1

The DivvyCloud by Rapid7 team has had a busy and productive start to 2021, and we anticipate that the rest of this year will be equally exciting for our valued customers. In the first three months alone, we incorporated over 60 requests that came to us directly from our customers. It is through these partnerships and ongoing dialogues that we solicit feedback and suggestions that will ultimately contribute to a product that can better serve today’s challenging and emerging cloud security needs.

Here’s a look back at some of the value the team rolled out for customers in Q1 2021.

Just in Time User Provisioning LDAP/SAML

In March, we added support for authentication server synchronizations in a feature we call Just in Time User Provisioning (JIT). DivvyCloud JIT provides the capability to synchronize users and groups from an external identity provider authentication server (Okta, LDAP, Ping, Microsoft Active Directory, etc.). When an authentication server is configured in DivvyCloud, a scheduled sync job runs once an hour, and updates can be applied at user login for SAML authentication servers.

This feature, combined with the group-based entitlement feature, makes it easy for DivvyCloud admins to manage user access from their identity provider without having to make additional updates for users in DivvyCloud.

Group Entitlement Support

As of release 21.1, we added support for group-level entitlements. This feature enables administrators to assign entitlements to defined groups, rather than just at the individual user level, thereby improving the experience for our customers with larger numbers of DivvyCloud users.

Support for Oracle Cloud Infrastructure

DivvyCloud now includes support for Oracle Cloud Infrastructure (OCI). To get started, check out more detailed information about how to connect an Oracle tenet, the list of OCI resources that DivvyCloud supports, and information about our new OCI Compliance Pack.

While initial support for this new cloud service provider will be limited, we plan to expand the supported features and services for OCI over the course of 2021

Updated PCI DSS Compliance Pack

We updated the Payment Card Industry Data Security Standards (PCI DSS) Pack so that DivvyCloud Insights map to the current PCI DSS requirements. This pack is important for many of our customers who are required to align PCI DSS.

Organization-Level Event Driven Harvesting

We have incorporated a new approach to Event-Driven Harvesting (EDH), known as Org-Level or CloudTrail EDH, which provides a new method for AWS users to implement EDH.

Org-Level EDH generally behaves in the same way as our existing EDH with two key differences, speed and maintenance. This new method retrieves information in approximately 10–15 minute intervals and does not require additional manual configuration when new cloud accounts are added. You can learn more by reviewing our documentation here.

IaC performance improvements

If you’re a current DivvyCloud user, you may have noticed a big change in the amount of time needed for Infrastructure as Code (IaC) scans. Our improvements have contributed to substantially shorter (up to 500%!) scan times. These changes should be transparent for most customers running DivvyCloud on AWS, as the default user provisioned for RDS has root-level permissions and can create/modify existing and new database schemas.

Additional improvements include the separation of the data schema, allowing simulation scans to avoid impact by table locks and row-level operations that sometimes slow things down.

Easier Azure onboarding

Beginning with 21.2.0, DivvyCloud includes support for adding multiple Azure accounts by taking advantage of the Azure Management Groups functionality. Learn more about how to take advantage of this helpful management feature.

Improved/newly supported resources, new Insights, and new Filters

In each release, we strive to raise the bar by expanding the cloud resources we support and by adding new Insights and Filters. Here’s a look at what we did during Q1.

Improved/Newly Supported Resources

AWS

• IaC support for API Gateway/API GatewayV2
• IaC support for CodeBuild and ACM
• IaC support for AMIs and DMS Replication Instances
• Visibility and tag lifecycle support for API Gateway Stages/API keys
• Visibility and tag lifecycle support for DataSync tasks
• Support for Storage Gateways (file share)
• Visibility, tag, and EDH support for Amazon Managed Workflows for Apache Airflow
• Visibility into the tag mutability and IaC analysis for ECR

Azure

• Harvesting and IaC support for Search Services
• IaC support for Container Registry/Kubernetes Clusters
• IaC support for MySQL/PostgreSQL/MariaDB/SQL Database Instances
• Added visibility and IaC support for Databricks Workspaces
• Added visibility and IaC support for DataFactory
• Added support for Dedicated Hosts (Hypervisors)

General

• Improved support for domain names and SSL certs in Application Gateways

New Insights

Oracle

• OCI Compliance Pack Insights, including:
• Cloud Account Missing Event Rule And Notification For Network Gateway Changes
• Cloud Account Missing Event Rule And Notification For Network Security Group Changes
• Cloud Account Missing Event Rule And Notification For Security List Changes
• Cloud Account Missing Event Rule And Notification For Route Table Changes
• Cloud Account Missing Event Rule And Notification For Virtual Cloud Network Changes
• Cloud Account Missing Event Rule And Notification For IAM User Changes
• Cloud Account Missing Event Rule And Notification For IAM Policy Changes
• Cloud Account Missing Event Rule And Notification For IAM Group Changes
• Cloud Account Missing Event Rule And Notification For Identity Provider Changes
• Cloud Account Without Default Tags Defined At Root Compartment Level
• Encryption Keys Managed By Customer (CMKs) Not Rotated Annually
• Cloud Account Without Cloud Guard Enabled In Root Compartment
• Cloud Account With Noncompliant Retention Period
• Cloud Account Without Compartment In Root Tenancy
• Cloud Account Missing Event Rule And Notification For Identity Provider Group Mappings Changes

AliCloud

• Cloud Account Password Policy Age Without Annual Expiration

AWS

• Cloud Account Password Policy Age Without Annual Expiration
• File Share Has Allowed Clients Set To 0.0.0.0/0
• Airflow Environment Allows Public Web Server Access
• Airflow Environment Without Proper Logging Configuration
• Stored Parameter Encrypted With Provider Default Keys
• Stored Parameter Is Not Encrypted

Azure

• Storage Account not using Customer Master Key

GCP

• NAT Gateway Without Logging Enabled

Kubernetes

• Kubernetes Cluster Engine Logging Disabled

New Filters

• Airflow Environment Missing Logging Configuration
• Airflow Environment Webserver Access Mode
• Application Gateway Protocol
• Cloud Account Audit Retention Period
• Cloud Account CIS Alerting Policy Missing
• Cloud Account Compartment Count
• Cloud Account Without Cloud Guard Enabled
• Cloud Account Without Default Tags
• Container Registry Allows Tag Mutability
• File Share Client List
• File Share Storage Class
• File Share Type
• Instance Metadata Usage Without Token Count
• NAT Gateway Without Logging Enabled
• Resource Contains Tag Key With Empty Value
• Resource Running On Cloud Outpost
• Route State
• Search Cluster Publicly Accessible
• Secret Is Default
• Storage Account Allows Public Blob Access
• Storage Container Bucket Key Enabled/Disabled
• Storage Container Replication Target Bucket
• Stored Parameter Expires Soon
• Stored Parameter No Expiration
• Stored Parameter Not Encrypted
• Stored Parameter Storage Tier
• Stored Parameter String Type

To do in Q2

Using the momentum we built in Q1, we plan to incorporate at least 60 more requests from our customers in the next three months. Some of these improvements will involve Azure Active Directory, Cloud Formation Templates, Azure Event-Driven Harvesting, and IAM improvements, so stay tuned!

If you’re a DivvyCloud by Rapid7 user and have feedback or suggestions, we encourage you to make your voice heard by contacting [email protected].