Azure Solution


“Cloudvisory’s Security Orchestration allowed our DevOps to quickly deploy secure applications”

Fortune 500 Retail Co.


Azure offers strong, native security controls to protect cloud deployments. When configured correctly, the Azure environment provides more secure workloads than those in traditional data centers. However, many Azure customers are not fully leveraging native-controls, thus not benefitting from the improved security. Network Security Groups, for example, allow Azure customers to granularly control policy segmentation, which greatly reduces risk and also thwarts threat posed by malicious actors.

As Gartner points out, in order to keep up with the pace of change and protect against threats to the cloud, “cloud-native controls” must be used and the environment must move to security automation. A complete solution will need to integrate with Azure’s native security controls and provide:

Critical Solution Requirements

1
A detailed visual mapping of all Azure Subscriptions, Resource Groups, Regions, Infrastructure and related flows
2
A method for policy organization, orchestration and automated provisioning
3
A policy monitoring, verification and enforcement system
Without these elements, Azure deployments are potentially left exposed. Hybrid or multi-cloud deployments increase the complexity, and require additional DevOps resources for building and maintaining adequate management and monitoring controls.
Cloudvisory’s Security Platform (CSP) removes the complexity of configuring Azure’s security controls, and provides the automation vital to any Azure cloud security strategy. CSP’s real-time visualization of workloads, orchestration, control, and enforcement capabilities remove the element of mismanagement and ensure security of Azure deployments.

“Automation reduces the chance of misadministration and mistakes, which are the leading causes of operations incidents, unexpected downtime and successful security attacks.”

Gartner

CSP delivers continuous discovery, monitoring, detection,
and security automation for Azure environments with:

Visualization   Visualization  

Managing the security of Azure workloads requires a dynamic view of the infrastructure, and immediate detection of any changes to it. Visually understanding the relationships of Subscriptions, Resource Groups, Regions, VMs, Network Security Groups, and the network flows between them is critical to protecting your deployment. CSP is designed to continuously discover Azure environments and visually map the details of each component and workload, using Azure’s APIs – not an agent. CSP can also be used to map existing data center environments and understand existing application data flows. Using this information speeds migration, and provisions the required granular Network Security Group controls within Azure.

The following screens illustrate the value CSP can bring to an Azure deployment.

Visualizing the Infrastructure

Azure Portal Visualizing Azure Portal Visualizing Azure Portal

The Azure Portal provides a restricted list view of VMs for a given Resource Group or Subscription. The lists do not provide a visual mapping of the Azure environment depicting how things are deployed, nor are they updated dynamically to show change. Troubleshooting is difficult and slow.

Cloudvisory CSP Visualization with CSP Visualization with CSP

Cloudvisory continuously discovers an Azure infrastructure, delivering an interactve visual mapping of Azure Subscriptions, Resource Groups, Regions, VMs, network flows and even other hybrid or multi-cloud environments. This dynamic mapping illustrates the exact make up of the Azure enviornment and its workloads. As new workloads spin up or down, the mapping is immediately refreshed.


Control   Control  

Cloudvisory’s Security Orchestration provides a powerful platform to create, manage and organize security policies for an Azure deployment. While many DevOps teams use Azure Resource Manager with Azure Automation, or other orchestration solutions to automate deployment of Network Security Groups, this practice leaves Security Teams in a “black-box” situation. CSP’s policy creation and implementation helps facilitate a proper separation of duties and bridges the gap between Security and DevOps teams.

Using Azure Automation or other orchestration solutions, DevOps teams can quickly spin up workloads as needed. CSP discovers these new workloads and understands the workload’s “context” through infrastructure location, meta data and tags. CSP then provisions the proper and exacting, segmented Network Security Groups. 

Natural language policies are created with point and click ease, or simply discovered from existing data flows. Policies are then associated to groups of workloads via Meta-Data, Secure Tags, and/or Infrastructure Memberships. Security Teams can set policies and the associated Control definitions inside of CSP and the rest happens automatically, in a completely auditable form. DevOps teams can simply orchestrate their virtual instances. CSP’s Security Orchestration is also adaptive – as the environment changes, complex calculations determine the security policy changes required to keep the environment safe.

Organization & Orchestration

Azure Portal Azure Portal Policy Management Azure Portal Policy Management

With the Azure Portal, Tags are defined for resources, then resources are organized based on those tags for billing or management. However, there is no way to organize Network Security Groups based on infrastructure memberships. Additionally, certain Tags need to be managed securely which is not yet an option in Azure. Currently, Dev/Ops teams are building complex, custom solutions in an attempt to organize Network Security Groups. Or worse, they are using open and generic settings which leave the environment at risk. Tags and Meta Data are critical for organizing workloads and associated security policies into groups to speed management and control.

Cloudvisory CSP Cloudvisory CSP Policy Management Cloudvisory CSP Policy Management

With CSP, the Security Orchestration plane enables creation of natural language policies, and association of those policies to workloads via infrastructure memberships, Tags, Secure Tags, and Group memberships (such as application or application tier). Provisioning of policies is organized, automated, and becomes dynamic as the environment undergoes change. Dev/Ops teams no longer spend weeks or months creating custom solutions that do not scale and cannot adapt to the ever changing cloud environment.

Cloudvisory CSP Cloudvisory CSP Visual Grouping Cloudvisory CSP Visual Grouping

CSP provides visual grouping of workloads and associated network flows based on virtually any category (Application, App Tier, Governance Policy, or Resource Group). These groups enable granular micro-segmentation of policies, which is key to securing a cloud environment. Groups can span Subscriptions, Resource Groups, Regions, and even other providers, making the value of Azure Network Security Groups even more powerful.

Azure Portal Azure Portal Security Groups Azure Portal Security Groups

Using the Azure Portal to list and manage network security groups, it is difficult to understand how each particular network security group is related to all the workloads it may affect.

Cloudvisory CSP Cloudvisory CSP Policy Creation Cloudvisory CSP Policy Creation
Cloudvisory CSP Cloudvisory CSP Policy Creation Cloudvisory CSP Policy Creation

Creating policies in CSP can be done across Subscriptions, across Resource Groups, across Regions, at the workload or logical group level, simply and intuitively. This gives tremendous management, security and control of the Azure deployment.


Enforcement   Enforcement  

Once policies are provisioned they must be monitored to ensure the environment is never compromised. CSP continuously monitors hybrid-cloud environments to enforce policy compliance and detect abnormal behavior in any workload. If detected, CSP automatically remediates and neutralizes the threat to keep the environment compliant and secure.

Network Flows

Azure Portal Azure Portal Network Flows Azure Portal Network Flows
Azure Portal Azure Portal Network Flows Azure Portal Network Flows

The Azure Portal used in conjunction with Azure Network Watcher provides a limited view into the network topology, and a downloadable list of network flow details. Operational teams require information beyond this list: holistic, contextual information about workload location by Subscription, Resource Group, or Regions are essential for servicing and troubleshooting the underlying cloud deployment.

Cloudvisory CSP Cloudvisory CSP Network Flows Cloudvisory CSP Network Flows

CSP’s visual representation of Azure resources and related flows is both visual and contextual. CSP can quickly identify non-compliant network flows and alert teams to potential threats. CSP also continuously monitors Network Security Policies for real-time compliance breaches, and alerts on rogue or accidental changes. Above, visual flow data specifically points out compliant and non-compliant net-flow details to quickly identify risk and potential malicious activity. Unlike other solutions, all this is accomplished using the Azure APIs.

Cloudvisory Identifies Malware Attack.
Halts and Quarantines the infected Workload.

Watch Now
Cloudvisory CSP Cloudvisory CSP Flow Details Cloudvisory CSP Flow Details

CSP flow data has added richness. Flow information is summarized per workload and logical group for an enhanced understanding of the environment, and faster triage of infected or malicious actions.


CSP Policy Compliance Enforcement. Instantly Identify Violations and Rollback to Compliant State, Automatically...

Summary

Leveraging Azure’s, native security controls and APIs to protect cloud environments, delivers workloads that are more secure than those in traditional data centers. Cloudvisory is uniquely positioned to help you realize the full power of these tools through:

1) Continuous Discovery and Visualization of Infrastructure and Security Policies
2) Policy Organization, Orchestration and Automated Provisioning
3) Intelligent, granular, cloud-native Micro-Segmentation
4) Continuous Monitoring, Enforcement, and auto-remediation of Security policies

CSP provides the necessary discovery and automation necessary for an Azure cloud security strategy. CSP’s organization, visibility, control and enforcement ensures security across your Azure and hybrid-cloud deployments.


Related Materials