The Value of k9 Security

Managing AWS IAM without k9 Security

Without k9, you have Cloud Engineers who struggle to create AWS IAM security policies for new applications, features, and teams onboarding to AWS. This is because the AWS security policy language is very powerful and flexible, but is difficult to use. Those same Cloud Engineers, plus Security and Compliance teams then struggle to understand the effects of those policies. Engineers regularly tell us understanding who has access to what is impossible in their AWS accounts. And this complexity and confusion is compounded by the acceleration of change to Cloud environments. Once you think you understand something — it’s changed.

And so many organizations have little understanding or confidence in their AWS IAM access controls nor whether they manage risk effectively.

Managing AWS IAM with k9 Security

k9 addresses that by simplifying how Cloud teams interact with the AWS access model, enabling engineers to integrate security with automated delivery processes, and scaling security across the organization.

First k9 gathers critical access control information from many security services in AWS, normalizes that information, merges it, and simplifies it into a form non-experts understand. k9 reports access capabilities to AWS services and specific resources in six simple terms everyone understands like administer-resource, read-data, and delete-data.

This simplification helps engineers spot important access control problems such as whether a user can administer IAM or can read critical data when they shouldn’t be able to. Engineers can focus their efforts on analyzing principals’ effective access rather than trying to gather data and then figure out what those policies mean. k9 also provides optimized processes for performing this analysis and publishes those as the k9 Security Katas. These katas are designed for non-experts to execute periodically: quarterly, monthly, or each sprint. This reduces the time to discover access control problems greatly.

Then, k9 gives engineers the ability to fix access control problems they find quickly and confidently with security policy generators that accept those same simplified access capabilities. Engineers specify whether an IAM principal should be able to read-data or write-data. Then the k9 infrastructure code libraries for Terraform and CDK generate a policy that implements least privilege, encryption requirements, and other best practices. And this happens right in your regular infrastructure delivery process.

How k9 changes your organization

Now engineers can declare and verify AWS access in a single simplified language used throughout the delivery process.

And we think this makes Continuous Security Policy Engineering practical and scalable for non-experts across the entire organization. Cloud Security experts on Cloud, Site Reliability, Platform, and Security teams are no longer a bottleneck because k9 has expanded who can work with AWS IAM safely — it’s now effectively every authorized engineer in your organization.

There’s work you can stop asking AWS Security specialists to do:

• create policies by hand
• build tools to perform basic compliance activities or understand access
• answer questions about access by Security and Compliance colleagues during audits

People who are not AWS security experts can author and understand AWS IAM now: Application delivery teams, Security Operations, and all the engineers in between.

There are higher-order effects, too. Your risk management program can become much more effective. Because you can now continuously know:

• who is a privileged user
• who has access to critical data sources and encryption keys

This enables you to proactively reduce your expected losses in a targeted and scalable way.

ROI of k9 Security

The ROI for k9 in a particular organization depends a lot on how that organization currently works. If you’re seriously auditing access quarterly, we expect you’ll save a lot of engineering effort and money as you unload Cloud Security specialists. Your change throughput to production should also smooth out.

But if security isn’t well-integrated into your delivery process now, you’ll probably discover a lot of latent risk from access control issues that need quick resolution. The good news is that you’ll finally know about those issues and be able to address them in a coherent, scalable, and repeatable way with k9’s code, access analysis, and technical support.

Either way, you’ll be able to operationalize continuous security across your organization with an approach that simplifies AWS security in a scalable way and accelerates delivery without having to develop integrated tooling, processes, and training yourself.

Example ROI for Payments company

Let’s analyze the ROI for a medium-sized payments company with 15 AWS accounts.  Assume:

• a Cloud Security Engineer can support at most 5 accounts
• AWS is managed with a mix of CloudFormation, Terraform, and manual changes