AWS Solution

AMAZON WEB SERVICES

“We were writing and managing hundreds of scripts, alerts and reports to secure AWS and not even coming close to the Visibility, Control and Enforcement capabilities in Cloudvisory. Now, we are much more secure with Cloudvisory.”

Fortune 500 Healthcare Co.


AWS offers strong, native security controls to protect cloud environments, that if used properly, can deliver workloads that are more secure than those in traditional data centers. However, as Gartner points out, in order to keep up with the pace of change and threats to cloud you must move to security automation. AWS provides tools to allow you to script, code and create a set of solutions to manage, monitor and protect your environment. But this is a labor-intensive task that will require constant maintenance by a team of people. A complete solution will need to provide:

Critical Solution Requirements

1
A detailed visual mapping of the all AWS accounts, Regions, Infrastructure and related flows
2
A method for policy organization, orchestration and automated provisioning
3
A policy monitoring, verification and enforcement system
Without these elements, your AWS deployment will be left exposed and at risk. You can take the tools offered by AWS and deploy a team to attack this problem set and if you ever move to a multi-cloud situation, you will have to build these elements all over again for the next provider. Or rely on a partner that has spent years crafting a complete solution.
Cloudvisory’s Security Platform (CSP) provides the automation vital to your AWS cloud security strategy. CSP’s visibility, orchestration, control and enforcement platform helps deliver immutable security across your AWS deployments.

“Automation reduces the chance of misadministration and mistakes, which are the leading causes of operations incidents, unexpected downtime and successful security attacks.”

Gartner

Here is how CSP delivers that required automation for AWS environments to keep your organization agile, safe and protected.

CV Insight   CSP CV-Insight  

Understanding and managing the security of your workloads in AWS can be challenging using the AWS Console, the CLI, or the REST API. In all cases, getting the proper perspective of the current infrastructure and any changes to it over time can be difficult due to the lack of visual representations into the relationships of Regions, VPCs, VMs, Security Groups, and the network flows between them. CV Insight is designed to continuously discover AWS environments and visually map the details of the environment. The following screens demonstrate the value CV Insight can bring to an AWS deployment.

Visualizing the Infrastructure

AWS Console Visualizing AWS Console Visualizing AWS Console

Using the AWS console, one is restricted to a list view of VMs for a single account and region at a time. These are just lists with no visual mapping of the AWS environment. Troubleshooting is difficult and slow.

Cloudvisory CSP Visualization with CSP Visualization with CSP

Cloudvisory continuosly discovers AWS infrastructure allowing interaction with a visual mapping across AWS Accounts, Regions, VPCs, VMs, network flows and even other Providers. This mapping illustrates the exact make up of the AWS enviornment. As new workloads spin up or down the mapping will be immediately refreshed for an up-to-date representation of the deployment.


CV Control   CSP CV-Control  

CV Control provides a crucial Security Orchestration plane to help simplify the organization and control of security policies. Natural language policies are created with point and click ease; those policies are associated to groups of workloads via meta-data allowing for automated and precise provisioning of those policies. This control plane is also adaptive – as the environment changes, complex calculations determine the exchange security policy changes required to keep the environment safe and immutable.

Organization & Orchestration

AWS Console AWS Console Policy Management AWS Console Policy Management

Tags and Meta Data are critical for organizing workloads and associated security policies into groups to speed management and control. In AWS you can manage tags to organize worloads but cannot easily associate these tags to policies across various VPCs. This makes it costly and time consuming for Dev/Ops or Security teams to manage AWS policies through complex coding and scripting.

Cloudvisory CSP Cloudvisory CSP Policy Management Cloudvisory CSP Policy Management

In Cloudvisory, the Security Orchestration plane allows for the creation of natural language policies and the association of those policies to workloads via Infrastructure memberships, Tags and Group memberships (such as application or application tier). This orchestration plane allows for the automated calculation and provisioning of immutable policies even as the environment undergoes change. The graphical user-interface provides dramatic ease of use, speeding up Dev/Ops and insuring consistent and perfect security.

Cloudvisory CSP Cloudvisory CSP Visual Grouping Cloudvisory CSP Visual Grouping

Additionally, Cloudvisory provides visual grouping of workloads and network flows between them based on virtually any category (Application, App Tier, Governance Policy, VPC etc...) Groups allow for granular micro-segmentation of policies. Groups can span Accounts, Regions, VPCs, and even other Providers, something not possible with the native tools of AWS.

AWS Console AWS Console Security Groups AWS Console Security Groups

Using the AWS Console to list and manage security groups is not intuitive and is limited to a single account in a single region.

Cloudvisory CSP Cloudvisory CSP Policy Creation Cloudvisory CSP Policy Creation
Cloudvisory CSP Cloudvisory CSP Policy Creation Cloudvisory CSP Policy Creation

But creating policies in Cloudvisory can be done across Accounts, across Regions, at the workload or logical group level, simply and intuitively. This gives tremendous management, security and control of the AWS deployment.


CV Compliance   CSP CV-Compliance  

After discovery, visualization and orchestration by CV Insight and CV Control, CV Compliance monitors and enforces those policies. CV Compliance ensures all infrastructure, policies, and network flows remain in real-time compliance. CV Compliance can identify rogue and malicious activity and immediately take corrective action to halt a malware risk and even return the environment back to a compliant and safe state. To deliver the same with AWS tools would require a significant investment in people, time, coding and testing.

Network Flows

AWS Console AWS Console Network Flows AWS Console Network Flows

The AWS Console provides a list of network flows limited to single a VPC in a single account in a single region. It is just a list. It does not provide rich, contextual information typically needed by operations teams in order to service and troubleshoot the underlying cloud deployment.

Cloudvisory CSP Cloudvisory CSP Network Flows Cloudvisory CSP Network Flows

CSP’s visual representation of AWS and related flows is visual and contextual. Cloudvisory can quickly identify non-compliant network flows and alert teams to potential threats. CV Compliance also continuously monitors security policies for compliance and alerts on non-compliant changes. Below, visual flow data specifically points out compliant and non-compliant flow details to quickly identify risk and potential malicious activity.

Cloudvisory Identifies Malware Attack. Halts and Quarantines the infected Workload.





Cloudvisory CSP Cloudvisory CSP Flow Details Cloudvisory CSP Flow Details

In Cloudvisory, flow data is much richer. Cloudvisory flow information is summarized per workload and logical group for a better understanding of the environment and faster triage of infected or malicious actions.


Cloudvisory Policy Compliance Enforcement. Identify Violation and Rollback.

Cloudvisory is constantly monitoring the security policiy state to confirm it remains immutable and compliant. If an accidental or malicious change to the policies is identified, Cloudvsiroy detects and alerts and can even take automatic corrective action to return the AWS environment back to its compliant state.

Summary

AWS offers strong, native security controls to protect cloud environments, that if used properly, can deliver workloads that are more secure than those in traditional data centers. However, there are limitations with AWS that can leave your AWS deployment exposed and at risk.

Cloudvisory’s Security Platform (CSP) provides the necessary automation vital to your AWS cloud security strategy. CSP’s organization, visibility, control and enforcement helps deliver immutable security across your AWS deployments.


Related Materials