Cavirin Hybrid Workload Security
Strengths: Scalability, continuous assessment and remediation, DevOps support that forces security to be built-in during development instead of tacked on at the end. Extremely rapid deployment, even if you build your own policies (there are thousands available out of the box).
Weaknesses: None that we found.
Verdict: This one really demands your attention if you are working in a hybrid environment. We have seen nothing that quite compares and the technology used is both unique and innovative. For its hybrid focus this is one of our Recommended products this month.
The Cavirin platform provides continuous security assessment and remediation across hybrid workloads. It offers a single view of the enterprise spanning on-premise, Amazon Web Services, Google Cloud Platform, Azure, and Docker deployments, using a wide range of best practices benchmarks and regulatory guidelines. The product is designed, specifically, for use in hybrid enterprises especially in organizations with a DevOps program. This is, of necessity, a next generation tool and its uniqueness lies in the way it treats a hybrid enterprise.
The tool is agentless and use a technique called micro-services. According the web site microserivces.io, micro-services are "...an architectural style that structures an application as a collection of loosely coupled services, which implement business capabilities." This improves scaling in large cloud environments. It also takes full advantage of existing cloud services within the cloud where it is either deployed or monitoring.
On first deployment, the product performs discovery and maps the entire enterprise regardless of where the network extends. So, it sees cloud, on-premises and Docker containers transparently as all part of the same enterprise.
This was one - and the only - case we saw of what we considered a completely hype-ridden claim of up and running in an hour or less. In our experience this is about as close to impossible as it gets. The facts in this case, however, challenged that premise strongly because by the time we had watched the Cavirin engineers deploy on a test network less than an hour had passed, discovery was done and we were beginning to see policy violations based upon the policies and standards available out of the box. To say that we were amazed does not quite fully state our reaction. We expect that if you plan on a lot of customization or the enterprise is very large it might take a little longer but we cannot see it stretching into the weeks and months typical for this type of product.
When the initial deployment began the tool started discovery and then created applicable policies. It then needed an account for itself on the cloud service where it was monitoring. Monitoring is constant so discovery and testing against policies and standards is ongoing. It has a robust API and can integrate with third-party ticketing systems.
Once the first round of discovery is complete it scans and provides a test report of the results. The reporting is very complete and the drill-downs are excellent. Compliance reports are available down to the device level and can be output either in Excel or .pdf format. The workflows are automated and the automation is the most complete and effective we've seen so far. In fact, we'd go so far as saying that as far as human intervention is concerned, there is almost no workflow because the tool does everything under the covers.
Especially impressive is the way it handles Docker security. Rather than wait until a container is finished and integrated into an application, Cavirin tests as it goes - in our view a notable best practice - and will not let a step in the development process go and allow the developer to progress to the next step until the module under test is secure and has passed its tests.
Scalability is based upon the precepts of micro-segmentation. This extends to backend databases which use a segmentation technique called "sharding". Overall this product can scale to millions of resources being managed.
Support at the standard level is included and advanced support is available on special quote. The web site is useful with lots of resources available. Pricing is exceptional.