AWS Solution

“We were writing and managing hundreds of scripts, alerts and reports to secure AWS and not even coming close to the Visibility, Control and Enforcement capabilities in Cloudvisory. Now, we are much more secure with Cloudvisory.”

Fortune 500 Healthcare Co.

AWS offers strong, native security controls to protect cloud deployments, that if used properly, can result in workloads that are more secure than those in traditional data centers. However, many AWS customers are not fully leveraging native-controls, thus not benefiting from the improved security. Security Groups, for example, allow AWS customers to granularly control policy segmentation, reducing risk and thwarting the East/West threat posed by nation state hackers.

Leveraging “cloud-native controls” and moving to security automation provides maximum protection. This can be done by utilizing AWS API’s and tools (such as Cloud Formation) to design, code, and maintain solutions that manage, monitor, and protect your AWS environments.


Critical Solution Requirements

1
A detailed visual mapping of the all AWS Accounts, Regions, Infrastructure and related flows
2
A method for policy organization, orchestration and automated provisioning
3
A policy monitoring, verification and enforcement system
As deployments in hybrid or multi-cloud environments are increasingly complex, additional management and monitoring controls are required. Cloudvisory’s Security Platform (CSP) provides the automation vital for workload security in AWS, hybrid or multi-cloud deployments.
“Automation reduces the chance of misadministration and mistakes, which are the leading causes of operations incidents, unexpected downtime and successful security attacks.”

Gartner

Clouvisory Security Platform
CSP delivers continuous monitoring, detection, and security automation for AWS environments through visibility, cloud‑native control capabilities and enforcement


Visualization

In order to understand and manage the security of workloads in an AWS environment a view of the “right-now” infrastructure, changes over time, relationships of Accounts, Regions, VPCs, VMS, Security Groups, and network flows is required. In AWS, CSP continuously discovers and visually maps the details of each, which can speed migration, and provision the required granular Security Group controls.

Visualizing the Infrastructure

AWS Console Visualizing AWS Console Visualizing AWS Console

In the AWS console, only a single account and region can be seen in the list view of VMs. While this is useful, the lists do not provide a visual mapping of the complete AWS environment, which hampers troubleshooting security issues.

Cloudvisory CSP Visualization with CSP Visualization with CSP

Cloudvisory continuously discovers AWS infrastructure, delivering an interactve visual mapping of AWS Accounts, Regions, VPCs, VMs, network flows and even other hybrid or multi-cloud environments. This mapping illustrates the exact make up of the AWS enviornment. As new workloads spin up or down the mapping will be immediately refreshed for an up-to-date representation of the deployment.

Security Orchestration

CSP’s security orchestration plane simplifies the organization and control of security policies in AWS deployments. Too often DevOps teams use Cloud Formation or other orchestration tool to automate deployment of Security Groups leaving Security Teams in a “black-’box” situation. CSP facilitates a proper separation of DevOps duties through the policy plane bridging the gap between Security and DevOps teams, allowing DevOps to quickly spin up workloads as needed.

CSP’s security control plane discovers the new workloads, understands its “context,” through infrastructure location, meta data and tags, and immediately provisions the proper and exacting, segmented security groups. This is how an enterprise can have “immutable,” security.

Additionally, natural language policies are created with point and click ease or simply discovered from existing data flows; these policies are then easily associated to groups of workloads via meta-data, Secure Tags, and/or infrastructure memberships, allowing for automated, dynamic and precise provisioning of granular security policies. Dev/Ops teams can simply orchestrate their virtual instances. Security Teams can set policies and the associated control definitions in CSP and the rest happens automatically, complete with audit capability. CSP is adaptive – as the environment changes, complex calculations determine the exchange security policy changes required to keep the environment safe and immutable.

Organization & Orchestration

AWS Console AWS Console Policy Management AWS Console Policy Management

Tags and Meta Data are critical for organizing workloads and associated security policies into groups to speed management and control. In AWS you can manage tags to organize workloads, but there is not an option to organize Security Groups based on Infrastructure memberships. Additionally, certain Tags need to be managed securely which is not yet an option in AWS. In many cases, Dev/Ops teams are using complex coding and scripting in an attempt to organize Security Groups or worse, they are using very “open,” and generic settings which leave the environment at risk.

Cloudvisory CSP Cloudvisory CSP Policy Management Cloudvisory CSP Policy Management

CSP's Security Orchestration plane allows for the creation of natural language policies and the association of those policies to workloads via Infrastructure memberships, Tags, Secure Tags and Group memberships (such as application or application tier). This orchestration plane allows for the organization, automated calculation, and provisioning of immutable policies, even as the environment undergoes change. Granular and more segmented policy control becomes a reality using Cloudvisory. The graphical user-interface provides dramatic ease of use, speeding up Dev/Ops and insuring consistent and perfect security.

Cloudvisory CSP Cloudvisory CSP Visual Grouping Cloudvisory CSP Visual Grouping

Additionally, CSP provides visual grouping of workloads and associated network flows based on virtually any category (Application, App Tier, Governance Policy, VPC etc...). “Groups” allow for granular microsegmentation of policies. Groups can span Accounts, Regions, VPCs, and even other Providers, making the value of AWS Security Groups even more secure and more powerful.

AWS Console AWS Console Security Groups AWS Console Security Groups

Using the AWS Console to list and manage security groups is limited to a single Account in a single Region.

Cloudvisory CSP Cloudvisory CSP Policy Creation Cloudvisory CSP Policy Creation
Cloudvisory CSP Cloudvisory CSP Policy Creation Cloudvisory CSP Policy Creation

But creating policies in Cloudvisory can be done across Accounts, across Regions, at the workload or logical group level, simply and intuitively. This gives even greater management, security and control of the AWS deployment.

Enforcement

After discovery, visualization and orchestration, CSP monitors and enforces these controls and policies. Enforcement ensures all infrastructure, policies, and network flows remain in real-time compliance, even across Hybrid deployments. Enforcement can identify rogue and malicious activity and immediately take corrective action to halt a malware risk and even return the environment back to its safe and compliant state. By providing a commercial solution that delivers and enforces immutable security across AWS, Hybrid and Multi-Cloud deployments, Cloudvisory reduces time to market, saves money, speeds up operations and hardens security in the cloud.

Network Flows

AWS Console AWS Console Network Flows AWS Console Network Flows

The AWS Console provides a list of network flows limited to a single VPC in a single Account in a single Region. Operational teams require information beyond this list: holistic, contextual information about workload location by account, regions, VPC etc…are typically needed by operations teams in order to service and troubleshoot the underlying cloud deployment.

Cloudvisory CSP Cloudvisory CSP Network Flows Cloudvisory CSP Network Flows

CSP’s visual representation of AWS and related flows is visual and contextual, allowing for quick identification of non-compliant network flows and alert teams to potential threats. CSP also continuously monitors security policies for real-time compliance and alerts on rogue or accidental changes. Below, visual flow data specifically points out compliant and non-compliant net-flow details to quickly identify risk and potential malicious activity.

Cloudvisory Identifies Malware Attack. Halts and Quarantines the infected Workload.





Cloudvisory CSP Cloudvisory CSP Flow Details Cloudvisory CSP Flow Details

In CSP, flow data has added richness. Flow information is summarized per workload and logical group for an enhanced understanding of the environment and faster triage of infected or malicious actions.


Policy Enforcement - Identify, Remediate, and Quarantine Automatically...

CSP is constantly monitoring the security policy state to confirm it remains immutable and compliant. Accidental or malicious changes to the policies are automatically identified, detected and alerted, and can even take corrective action to return the AWS environment back to its compliant state.

Summary

AWS offers strong, native security controls to protect cloud environments, that if used properly, can deliver workloads that are more secure than those in traditional data centers. Cloudvisory is uniquely positioned to help you leverage and realize the full power of these tools through:

1) Automated and continuous Discovery and Visualization of your entire AWS Deployment
2) Organization and Orchestration of granular, micro-segmented Security Group Policies
3) The automatic provisioning of exacting security controls
4) The non-stop monitoring and enforcement of data flows and policies to ensure security policies remain immutable and the environment remains protected.

Cloudvisory’s Security Platform (CSP) provides the necessary automation vital to your AWS cloud security strategy. CSP’s audit, compliance, microsegmentation and enforcement helps deliver immutable security across your AWS and Hybrid deployments.

Related Materials