AWS Solution


“We were writing and managing hundreds of scripts, alerts and reports to secure AWS and not even coming close to the Visibility, Control and Enforcement capabilities in Cloudvisory. Now, we are much more secure with Cloudvisory.”

Fortune 500 Healthcare Co.


AWS offers strong, native security controls to protect cloud deployments, that if used properly, can result in workloads that are more secure than those in traditional data centers. However, many AWS customers are not fully leveraging native-controls, thus not benefitting from the improved security. Security Groups, for example, allow AWS customers to granularly control policy segmentation, which greatly reduces risk and also thwarts the East/West threat posed by nation state hackers.

As Gartner points out, in order to keep up with the pace of change and protect against threats to the cloud, you must leverage “cloud-native controls” and you must move to security automation. One way to accomplish this is to utilize AWS API’s and tools (such as Cloud Formation) to design, code, and maintain solutions that manage, monitor, and protect your AWS environments. Another option is to avoid this labor-intensive task and take on a commercially available solution that integrates with AWS, and has expertise gleaned across critical Fortune 100 deployments. A complete solution will need to integrate with AWS’s native security controls and provide:

Critical Solution Requirements

1
A detailed visual mapping of the all AWS Accounts, Regions, Infrastructure and related flows
2
A method for policy organization, orchestration and automated provisioning
3
A policy monitoring, verification and enforcement system
Without these elements, AWS deployments are potentially left exposed and at risk. If environments are hybrid or become multi-cloud deployments, increasing the complexity, there will be a need to build and maintain additional management and monitoring controls. Or, rely on a partner that has spent years crafting a complete solution designed to service workload security in AWS, Hybrid and Multi-Cloud deployments.
Cloudvisory’s Security Platform (CSP) provides the automation vital to your AWS cloud security strategy. CSP’s unique visibility, orchestration, control and enforcement capabilities can deliver immutable security across all of your AWS deployments.

“Automation reduces the chance of misadministration and mistakes, which are the leading causes of operations incidents, unexpected downtime and successful security attacks.”

Gartner

CSP delivers continuous monitoring, detection, and security automation
for AWS environments with:

Visualization   Visualization  

Understanding and managing the security of your workloads in AWS can be challenging. A view of the “right-now” current infrastructure, any changes to it over time, visually understanding the relationships of Accounts, Regions, VPCs, VMs, Security Groups, and the network flows between them is critical to protecting your deployment. Cloudvisory's visualization is designed to continuously discover AWS environments and visually map the details of each. Additionally, it can be used to map existing data center environments and understand existing application data flows. Using this information can speed migration, and provision the required granular Security Group controls within AWS.

The following screens demonstrate the value visualization can bring to an AWS deployment.

Visualizing the Infrastructure

AWS Console Visualizing AWS Console Visualizing AWS Console

Using the AWS console, one is restricted to a list view of VMs for a single account and region at a time. While this is helpful, the lists do not provide a visual mapping of the complete AWS environment. Troubleshooting security issues can be hampered.

Cloudvisory CSP Visualization with CSP Visualization with CSP

Cloudvisory continuously discovers AWS infrastructure, delivering an interactve visual mapping of AWS Accounts, Regions, VPCs, VMs, network flows and even other hybrid or multi-cloud environments. This mapping illustrates the exact make up of the AWS enviornment. As new workloads spin up or down the mapping will be immediately refreshed for an up-to-date representation of the deployment.


Control   Control  

Control provides a crucial Security Orchestration plane to help simplify the organization and control of security policies related to your AWS deployment. While many dev/ops teams use Cloud Formation or other orchestration solutions to automate deployment of Security Groups, this practice leaves Security Teams in a “black-box” situation. Cloudvisory helps facilitate a proper separation of duties through its policy plane which can bridge the gap between Security and Dev/Ops teams. Using Cloud Formation or other orchestration solution, Dev/Ops teams can quickly spin up workloads as needed.

Cloudvisory discovers these new workloads, understands the workload’s “context,” through infrastructure location, meta data and tags. Cloudvisory can immediately provision the proper and exacting, segmented security groups. This is how an enterprise can have “immutable,” security.

This is all accomplished with the security control plane inside of Cloudvisory. Natural language policies are created with point and click ease or simply discovered from existing data flows; these policies are then easily associated to groups of workloads via meta-data, Secure Tags, and/or infrastructure memberships, allowing for automated, dynamic and precise provisioning of granular security policies. Dev/Ops teams can simply orchestrate their virtual instances. Security Teams can set policies and the associated control definitions inside of Cloudvisory and the rest happens automatically, in a completely auditable form. This control plane is also adaptive – as the environment changes, complex calculations determine the exchange security policy changes required to keep the environment safe and immutable.

Organization & Orchestration

AWS Console AWS Console Policy Management AWS Console Policy Management

Tags and Meta Data are critical for organizing workloads and associated security policies into groups to speed management and control. In AWS you can manage tags to organize workloads, but there is not an option to organize Security Groups based on Infrastructure memberships. Additionally, certain Tags need to be managed securely which is not yet an option in AWS. In many cases, Dev/Ops teams are using complex coding and scripting in an attempt to organize Security Groups or worse, they are using very “open,” and generic settings which leave the environment at risk. Tags and Meta Data are critical for organizing workloads and associated security policies into groups to speed management and control.

Cloudvisory CSP Cloudvisory CSP Policy Management Cloudvisory CSP Policy Management

In Cloudvisory, the Security Orchestration plane allows for the creation of natural language policies and the association of those policies to workloads via Infrastructure memberships, Tags, Secure Tags and Group memberships (such as application or application tier). This orchestration plane allows for the organization, automated calculation, and provisioning of immutable policies, even as the environment undergoes change. Granular and more segmented policy control becomes a reality using Cloudvisory. The graphical user-interface provides dramatic ease of use, speeding up Dev/Ops and insuring consistent and perfect security.

Cloudvisory CSP Cloudvisory CSP Visual Grouping Cloudvisory CSP Visual Grouping

Additionally, Cloudvisory provides visual grouping of workloads and associated network flows based on virtually any category (Application, App Tier, Governance Policy, VPC etc...). “Groups” allow for granular micro-segmentation of policies. Groups can span Accounts, Regions, VPCs, and even other Providers, making the value of AWS Security Groups even more secure and more powerful.

AWS Console AWS Console Security Groups AWS Console Security Groups

Using the AWS Console to list and manage security groups is limited to a single Account in a single Region.

Cloudvisory CSP Cloudvisory CSP Policy Creation Cloudvisory CSP Policy Creation
Cloudvisory CSP Cloudvisory CSP Policy Creation Cloudvisory CSP Policy Creation

But creating policies in Cloudvisory can be done across Accounts, across Regions, at the workload or logical group level, simply and intuitively. This gives even greater management, security and control of the AWS deployment.


Enforcement   Enforcement  

After discovery, visualization and orchestration, CSP monitors and enforces these controls and policies. Enforcement ensures all infrastructure, policies, and network flows remain in real-time compliance, even across Hybrid deployments. Enforcement can identify rogue and malicious activity and immediately take corrective action to halt a malware risk and even return the environment back to its safe and compliant state. By providing a commercial solution that delivers and enforces immutable security across AWS, Hybrid and Multi-Cloud deployments, Cloudvisory reduces time to market, saves money, speeds up operations and hardens security in the cloud.

Network Flows

AWS Console AWS Console Network Flows AWS Console Network Flows

The AWS Console provides a list of network flows limited to a single VPC in a single Account in a single Region. Operational teams require information beyond this list: holistic, contextual information about workload location by account, regions, VPC etc…are typically needed by operations teams in order to service and troubleshoot the underlying cloud deployment.

Cloudvisory CSP Cloudvisory CSP Network Flows Cloudvisory CSP Network Flows

CSP’s visual representation of AWS and related flows is visual and contextual. Using Cloudvisory, one can quickly identify non-compliant network flows and alert teams to potential threats. CSP also continuously monitors security policies for real-time compliance and alerts on rogue or accidental changes. Below, visual flow data specifically points out compliant and non-compliant net-flow details to quickly identify risk and potential malicious activity.

Cloudvisory Identifies Malware Attack. Halts and Quarantines the infected Workload.





Cloudvisory CSP Cloudvisory CSP Flow Details Cloudvisory CSP Flow Details

In Cloudvisory, flow data has added richness. Cloudvisory flow information is summarized per workload and logical group for an enhanced understanding of the environment and faster triage of infected or malicious actions.


Cloudvisory Policy Compliance Enforcement. Instantly Identify Violations and Rollback to Compliant State, Automatically...

Cloudvisory is constantly monitoring the security policy state to confirm it remains immutable and compliant. If an accidental or malicious change to the policies are identified, Cloudvisory detects and alerts, and can even take automatic corrective action to return the AWS environment back to its compliant state.

Summary

AWS offers strong, native security controls to protect cloud environments, that if used properly, can deliver workloads that are more secure than those in traditional data centers. Cloudvisory is uniquely positioned to help you leverage and realize the full power of these tools through:

1) Automated and continuous Discovery and Visualization of your entire AWS Deployment
2) Organization and Orchestration of granular, micro-segmented Security Group Policies
3) The automatic provisioning of exacting security controls
4) The non-stop monitoring and enforcement of data flows and policies to ensure security policies remain immutable and the environment remains protected.

Cloudvisory’s Security Platform (CSP) provides the necessary automation vital to your AWS cloud security strategy. CSP’s organization, visibility, control and enforcement helps deliver immutable security across your AWS and Hybrid deployments.


Related Materials