maximus通过Rapid7云安全提高了所有公共云的合规性并降低了风险

The Difficulty of Enforcing Standards Across An Enterprise

maximus has two models for 产ing its hundreds of AWS and Azure  projects:

• The first is the shared services model, where projects rely on IT organizations to build, 产, and maintain their infrastructure, operating systems, and applications. 
• In the second, the project team practices self-service DevOps. 他们拥有构建、部署、维护和支持产品的端到端过程.

maximus’ security architecture team, which reports directly to the  cisO, identifies the cloud standards. “Our goal is to ensure that our standards are being followed and environments, accounts, and resources are compliant,” states Jon Powers, Senior Manager of Security Architecture. 但是，在拥有数百个AWS账户和Azure订阅以及不同支持模型的整个企业中执行标准非常具有挑战性.

Bridgeman’s CCoE team operates within the Office of the CIO. 它负责以自动化的方式执行所有书面的遵从性和安全性标准，以使项目团队能够安全快速地移动. 他们已经实现并执行了内部安全标准和来自NIST 800-53等行业框架的标准, cis, and AWS Fundamentals.

“当你需要快速构建AWS和Azure基础设施资源时，编写的标准很难使用, with different tools and automation across the enterprise,” explains Bridgeman. “我们试图通过AWS本地工具(主要是AWS Config)来实现这一点，但它有局限性. 它不允许我们执行自动修复，而我们今天可以通过InsightCloudSec采取行动.”

Robust Functionality and Ease-of-Use: An Unbeatable Combination

As Bridgeman explains, maximus didn’t want to build their own solution. 他们选择了Rapid7，因为它提供了他们需要的所有功能，包括:

• 跨由AWS和Azure组成的多云环境运行的活动云资源的统一可见性.
• 根据定制的组织安全标准对遵从性进行持续的监视和评估 
• 实时检测由于新构建和配置更改而导致的法规遵循状态更改，这些更改会在发生更改的几分钟内使现有资源不合规.
• 手动和自动执行遵从性并更新不遵从性资源的配置和访问权限的能力.

最后，Bridgeman认为易用性是选择Rapid7 InsightCloudSec的决定性因素. “Not only can Rapid7’s cloud solution easily scale, 但Rapid7的GUI意味着没有经验的技术支持人员也可以浏览它. InsightCloudSec与Splunk集成的能力使我们能够丰富我们的数据，并将其显示在可消费的安全仪表板上, IT, and project owners.”

the results

Rapid7 has had a positive impact on maximus’ security environment. 它以一致的方式统一了所有AWS和Azure帐户的安全标准. maximus已经开始在需要的地方使用自动修复机器人(在账户所有者自己没有采取修复步骤的地方). and, Bridgeman说，Rapid7为他们提供了一个更全面的视图，了解他们的合规情况，包括他们的整个足迹. 

Today, maximus’ Amazon Web Services (Corporate Master Payer Account) is:

• Monitoring 44,000+ different AWS resources
• Monitoring 100,000K+ Microsoft Azure resources with 80+ Insights
• 是否有30多个洞察/机器人通过自动修复能力监控他们的环境
• Corrected 550+ findings in first 2 weeks after implementing InsightCloudSec

Reliable Data Increases Compliance

“也许最重要的成功故事是一个简单的事实，即有了Rapid7，我们现在有了一个可以信任的工具,” offers Bridgeman. “We trust the data that InsightCloudSec is providing. 这种信心反过来又让maximus和我们不同业务部门的客户所有者对我们向他们提供的建议更有信心. 我们之前遇到的一个问题是，‘哦，这是一个假阳性. move on.But now, we’re actually able to provide a bit more data around the findings, which is really, really helpful.”

“Rapid7无疑降低了我们的风险，使我们处于更加一致的状态，每个人都在同一页面上工作，并且非常了解标准. They have visibility into it. They know that InsightCloudSec is monitoring compliance,” concludes Bridgeman.

不仅在他们的企业主付款人账户下的总合规得分有所提高, but guardrails are now enforced through automation, reducing the volume of non-compliant resources. Resources which are built in a non-compliant way are automatically remediated, disabled, deleted, or flagged. 

“We now have people building more compliant resources. and,他们对不合规的资源采取行动的速度要快得多，因为他们得到了警报和通知. We have much better visibility into the environments, and we can now pass that up the ladder to our executive leadership. 

Bottom Line: Security Elevates the Customer Experience

The biggest takeaway? 也许maximus的安全姿态与公司的战略增长支柱——提升客户体验——是一致的. In other words, they’re achieving higher satisfaction levels, performance, and outcomes through intelligent automation and cognitive computing.