广场金融服务(广场), Block的全资附属公司, 提供一套完整的商业工具和公平的贷款,让每个符合条件的企业都有梦想的融资渠道. Square partners with businesses of all sizes — from large, enterprise-scale businesses with complex commerce operations to sellers just starting out, as well as merchants who began selling with Square 和 have grown larger over time. Square支持从澳大利亚到爱尔兰、加拿大到日本以及美国所有50个州的卖家.
Block云安全团队是支持Block使用云平台的任何业务线的基础单位, 包括广场. 他们负责预防控制, 无功控制, 和 secure by default options for developers 和 programmers. They also create security-approved modules that fit many different use cases, 对团队进行行业安全标准培训, 和 ensure the secure use of all cloud platforms.
In 2019, Square的生意蒸蒸日上, 和 they focused on scaling their AWS 和 GCP cloud footprints to accommodate this growth. 当他们这样做的时候, the Block security team started to face some new challenges around security scalability.
云安全团队遇到的主要挑战是数量问题:因为云提供了根据需要向上和向下扩展资源的灵活性, Square的开发人员和工程师会在安全团队不知情的情况下定期启动新实例并关闭其他实例.
有了这么多的环境——以及单独的AWS和GCP控制台来查看每个云提供商的资源——安全部门在任何给定的时间都无法一致地了解正在运行的内容, making it difficult to deliver comprehensive reporting on potential security risks.
安全团队不希望他们的协议扼杀创新,但他们也不能接受不安全的配置. Cloud platforms offer a host of new ways to solve problems 和 create efficiencies. 软件程序员, 工程师, 和 架构师s can be as detailed or holistic as they want with innumerable pathways, 结构, 以及可以利用的模式. Square希望他们的开发人员尝试用新方法解决老问题,并利用任何适合这项工作的云平台. 但他们需要一种方法来保护他们的环境,而不妨碍这种创新.
The security team was also on a path of continuous growth 和 improvement. They regularly received security feature requests from various departments 和 discovered new, more valuable ways to approach security — but they didn’t have the b和width to tackle them. 这些请求通常会被搁置或放置在积压中,希望将来能够处理它们. Eventually, this pattern prevented a more modern, technologically advanced approach to security.
When Square started searching for a cloud security solution, they looked for a true partner. 他们想要一个一流的产品, 还包括构建组织所需的安全特性的专业知识和战略指导.
找到一种可以同时跟踪AWS和GCP中的资源并将数据聚合在一个中心位置的产品是没有商量余地的. They needed to be able to see what resources were running, 谁在管理他们?, 它们是如何配置的, 和 whether changes needed to be made to maintain security.
Rapid7’s InsightCloudSec product — along with with Rapid7’s support team — checked all the boxes. InsightCloudSec provided comprehensive security across Square’s AWS 和 GCP cloud environments, 错误配置监控和警报, 和 an extended team that could offer feature support as-needed.
InsightCloudSec最大的价值在于其独特的跟踪资源创建时间和不同项目中使用的资源数量的能力,并以统一的视图将这些信息传递给所有云提供商.
这种资产管理功能提供了单个资源及其元数据的统一和规范化视图. Square’s security team can now zoom in to dig through settings 和 code, 和 then zoom back out to get a broader view of all assets organization-wide. 该团队可以回答以下问题:
This ability to see everything happening in the cloud, 它是如何建造的, 已经应用的安全规则和配置对于没有每天从事云构建和开发的安全专业人员来说是非常宝贵的.
现在,安全团队已经从一个窗格中获得了所有可用的云环境, 他们可以深入挖掘,以发现可能隐藏在设置中的错误配置和潜在漏洞, code, 或特定工作负载的元数据.
一个单一的, 隐藏的错误配置会造成安全环境和提供攻击途径的环境之间的差异, 因此,对于团队来说,充分了解每个工作量以确保没有遗漏任何细节是非常有价值的. 一旦他们发现问题, InsightCloudSec与Slack的集成, ServiceNow, 和 Jira enable them to shoot a quick message to a developer, 架构师, or engineer to fix the problem 和 keep security airtight.
Rapid7的支持团队通过承担构建功能请求的工作提供了额外的价值. Instead of dedicating valuable employee time to address these, Square can offload them to Rapid7 to be completed asynchronously with other projects. With a quick Slack message to the support team, Square gets an extra set of skilled h和s to:
之前InsightCloudSec, Square的安全团队对其云足迹的可见性有限,无法一次查看所有云资产. 一旦平台实现, 他们在一个单一的窗格中对所有云环境具有100%的可见性,并且不需要向任何人寻求信息.
有了这个新发现的功能, there are no more guessing games about who is using what, 在哪里, 以及他们是如何建造它的. Everything is available to the cloud security team at a glance from an easy-to-access dashboard. The security 和 development teams work in t和em to keep the cloud flexible 和 safe.
他们现在还利用InsightCloudSec的自定义洞察包,随时间推移提供每周安全态势报告. 有了这种智慧, Square的云安全团队可以回顾过去几个月甚至几年,看看他们的安全态势是如何成熟的.
最后, 现在,功能请求是与Rapid7一起积极构建的,而不是在Square团队自己冗长的积压中排队. With a quick Slack message from the Square security team, an idea turns into a feature request 和 the Rapid7 support team is on top of it.
Regarding the future partnership between Square 和 Rapid7, Square的安全工程师, 杰森, 他是这么说的:“嗯, 我希望这种合作关系能继续下去. 我们在去年取得了很多成功,你们都非常乐于接受特性请求,以改进自己的产品,并根据我们的需求进行调整.”
Square的金融服务安全负责人补充道, “I think the customer support has also been really attractive for us. 这是一次非常好的合作.”