CHS for DevOps

CalCom’s Hardening Solution for DevOps is a container host hardening automation solution designed to increase cluster security and compliance posture in the DevOps containerized environment. CHS eliminates outages and reduces security configuration management costs by indicating the impact of any configuration change on the DevOps environment. It ensures a resilient, locked down and monitored host.

Download Whitepaper

THE speed versus security challenge

DevOps is all about making the development process more efficient. But that often leads to a conflict between developers and security teams who have put their effort into securing production and dev processes without harming their efficiency. When it comes to hardening the container’s host without damaging production, current deployment tools and techniques have proved to be costly, repetitive, complicated and slow – mainly for two reasons:

 

DOWNTIME AND TESTING REQUIREMENTS

While using manual hardening methods or familiar configuration management tools, the hardening process may affect the host or application’s functionality and cause downtime. In order to prevent downtime, DevOps spends long hours testing configuration changes in lab environments before deploying them to production environments.

maintaIning compliance

The authorization of multiple privileged users in an enterprise environment makes it difficult to ensure that systems remain locked down, thus requiring DevOps teams to repeat the hardening process on a regular basis.

Benefits

Reduce hardening costs

Manual human work is error-prone, and therefore caution measures are needed to prevent outages. CHS eliminates the cost of creating lab environments for manually simulating the impact of configuration changes on the production servers. With CHS, the impact is analyzed directly on the production environment.

Avoid downtime and outages

CHS predicts the impact of configuration changes on the host. By visualizing the impact, CHS’s smart impact analyst determines the values that will/will not result in system outage when locked down.

Ensure cyber resilience

CHS automatically enforces the host’s security policies, ensuring that the hosts are proactively protected and remain compliant.

Enable DevOps teams to enforce extensive security policies

The CHS smart impact analysis gives confidence to the DevOps teams to enforce extensive security policies that eliminate more vulnerabilities and reduce exposures to attacks.

HIGHLIGHTS

LEARNING MODE - PREVENT DOWNTIME, REDUCE COSTS

Read More

LEARNING MODE - PREVENT DOWNTIME, REDUCE COSTS

The CHS learning mode capability:

  • Indicates the reason why an object can’t be hardened, marks the object, and saves it as an exception.
  • Compares different policies for a single host, allowing you to choose the strictest possible hardening policy that won’t affect operations at all.
  • Enables a Sys Admin to learn one host and apply the policy to a group of identical hosts.
  • Aids in the management of the integration between configuration management tools (PUPET, CHEF, ANSIBLE).

 

CHS performs automated impact analysis on production. This essentially means zero server outage and zero investment of your engineer’s time in testing.

  • Discovers the object’s current status – shows its “actual values”.
  • Displays the desired policy value.

 

Further, it indicates the impact of hardening as the following:

  • True: The expected values and actual values are identical.
  • False (red): The object is used by the production system and the actual value is valid – therefore, hardening the desired value will cause damage to the host in production.
  • False (yellow): The value will be changed while enforcing the policy – with no impact on the host’s operation.
  • Creates a “ready-to-go” policy in accordance with the gap analysis report.

 

 

Read Less

Centralized Enforcement

Read More

Centralized Enforcement

CHS for DevOps is centralizing the enforcement of the desired policy on production:

  • Reduces privileged authorized people required for enforcement to a minimum.
  • Easier to manage than traditional enforcement methods, therefore minimizing unwanted configuration drifts.
  • Offers cross-platform change management: One-click rollback to the previous policies. The rollback action can be reviewed in the system-generated reports as well.
  • Allows easy policy modification from one centralized dashboard.

 

Read Less

Change Control

Read More

Change Control

The CHS change control capability:

  • Performs gap analysis in a fixed interval.
  • Issues policy violation alerts when values discovered to be changed.
  • Enforces the desired values if any unwanted change was executed.
Read Less

HOW IT WORKS