Azure Solution

“Cloudvisory’s Security Orchestration allowed our DevOps to quickly deploy secure applications”

Fortune 500 Retail Co.

Azure offers strong, native security controls to protect cloud deployments. When configured correctly, the Azure environment provides more secure workloads than those in traditional data centers. However, many Azure customers are not fully leveraging native-controls, thus not benefiting from the improved security. Network Security Groups, for example, allow Azure customers to granularly control policy segmentation, which greatly reduces risk and also thwarts threat posed by malicious actors.
As Gartner points out, in order to keep up with the pace of change and protect against threats to the cloud, “cloud-native controls” must be used and the environment must move to security automation. A complete solution needs to integrate with Azure’s native security controls and provide:


Critical Solution Requirements

1
A detailed visual mapping of all Azure Subscriptions, Resource Groups, Regions, Infrastructure and related flows
2
A method for policy organization, orchestration and automated provisioning
3
A policy monitoring, verification and enforcement system
As deployments in hybrid or multi-cloud environments are increasingly complex, additional management and monitoring controls are required. Cloudvisory’s Security Platform (CSP) provides the automation vital for workload security in Azure, hyrbrid or multi-cloud deployments.
“Automation reduces the chance of misadministration and mistakes, which are the leading causes of operations incidents, unexpected downtime and successful security attacks.”

Gartner

Clouvisory Security Platform
CSP delivers continuous monitoring, detection, and security automation for Azure environments through visibility, cloud‑native control capabilities and enforcement


Visualization

In order to understand and manage the security of workloads in a Azure environment a dynamic view of the infrastructure, changes over time, relationships of Subscriptions, Resource Groups, Regions, VMs, Network Security Groups, and network flows is required. In Azure, CSP continuously discovers and visually maps the details of each, which can speed migration, and provision the required granular security Network Security Groups Controls.

Visualizing the Infrastructure

Azure Portal Visualizing Azure Portal Visualizing Azure Portal

The Azure Portal provides a restricted list view of VMs for a given Resource Group or Subscription. The lists do not provide a visual mapping of the Azure environment depicting how things are deployed, nor are they updated dynamically to show change. Troubleshooting is difficult and slow.

Cloudvisory CSP Visualization with CSP Visualization with CSP

Cloudvisory continuously discovers an Azure infrastructure, delivering an interactve visual mapping of Azure Subscriptions, Resource Groups, Regions, VMs, network flows and even other hybrid or multi-cloud environments. This dynamic mapping illustrates the exact make up of the Azure enviornment and its workloads. As new workloads spin up or down, the mapping is immediately refreshed.

Security Orchestration

CSP’s security orchestration plane simplifies the organization and control of security in an Azure deployment. While many DevOps teams use Azure Resource Manager with Azure Automation, or other orchestration solutions to automate deployment of Network Security Groups, this practice leaves Security Teams in a “black-box” situation. CSP’s policy creation and implementation helps facilitate a proper separation of duties and bridges the gap between Security and DevOps teams.

Using Azure Automation or other orchestration solutions, DevOps teams can quickly spin up workloads as needed. CSP discovers these new workloads and understands “context” through infrastructure location, meta data and tags. CSP then provisions the proper and exacting, segmented Network Security Groups. 

Natural language policies are created with point and click ease, or simply discovered from existing data flows. Policies are then associated to groups of workloads via Meta-Data, Secure Tags, and/or Infrastructure Memberships. Security Teams can set policies and the associated Control definitions inside of CSP and the rest happens automatically, complete with audit capability. DevOps teams can simply orchestrate their virtual instances. CSP’s Security Orchestration is adaptive – as the environment changes, complex calculations determine the security policy changes required to keep the environment safe.

Organization & Orchestration

Azure Portal Azure Portal Policy Management Azure Portal Policy Management

With the Azure Portal, Tags are defined for resources, then resources are organized based on those tags for billing or management. However, there is no way to organize Network Security Groups based on infrastructure memberships. Additionally, certain Tags need to be managed securely unavailable in Azure. Currently, Dev/Ops teams are building complex, custom solutions in an attempt to organize Network Security Groups or worse, they are using open and generic settings which leave the environment at risk.

Cloudvisory CSP Cloudvisory CSP Policy Management Cloudvisory CSP Policy Management

With CSP, the Security Orchestration plane enables creation of natural language policies, and association of those policies to workloads via infrastructure memberships, Tags, Secure Tags, and Group memberships (such as application or application tier). Provisioning of policies is organized, automated, and becomes dynamic as the environment undergoes change. Dev/Ops teams no longer spend weeks or months creating custom solutions that do not scale and cannot adapt to the ever changing cloud environment.

Cloudvisory CSP Cloudvisory CSP Visual Grouping Cloudvisory CSP Visual Grouping

CSP provides visual grouping of workloads and associated network flows based on virtually any category (Application, App Tier, Governance Policy, or Resource Group). These groups enable granular microsegmentation of policies, which is key to securing a cloud environment. Groups can span Subscriptions, Resource Groups, Regions, and even other providers, making the value of Azure Network Security Groups even more powerful.

Azure Portal Azure Portal Security Groups Azure Portal Security Groups

Using the Azure Portal to list and manage network security groups, it is difficult to understand how each particular network security group is related to all the workloads it may affect.

Cloudvisory CSP Cloudvisory CSP Policy Creation Cloudvisory CSP Policy Creation
Cloudvisory CSP Cloudvisory CSP Policy Creation Cloudvisory CSP Policy Creation

Creating policies in CSP can be done across Subscriptions, across Resource Groups, across Regions, at the workload or logical group level, simply and intuitively. This gives tremendous management, security and control of the Azure deployment.

Enforcement

Once policies are provisioned they must be monitored to ensure the environment is never compromised. CSP continuously monitors hybrid-cloud environments to enforce policy compliance and detect abnormal behavior in any workload. If detected, CSP automatically remediates and neutralizes the threat to keep the environment compliant and secure.

Network Flows

Azure Portal Azure Portal Network Flows Azure Portal Network Flows
Azure Portal Azure Portal Network Flows Azure Portal Network Flows

The Azure Portal used in conjunction with Azure Network Watcher provides a limited view into the network topology, and a downloadable list of network flow details. Operational teams require information beyond this list: holistic, contextual information about workload location by Subscription, Resource Group, or Regions are essential for servicing and troubleshooting the underlying cloud deployment.

Cloudvisory CSP Cloudvisory CSP Network Flows Cloudvisory CSP Network Flows

CSP’s visual representation of Azure resources and related flows is both visual and contextual, allowing for quick identification of non-compliant network flows and alert teams to potential threats. CSP also continuously monitors Network Security Policies for real-time compliance breaches, and alerts on rogue or accidental changes. Above, visual flow data specifically points out compliant and non-compliant net-flow details to quickly identify risk and potential malicious activity. Unlike other solutions, all this is accomplished using the Azure APIs.

Cloudvisory Identifies Malware Attack.
Halts and Quarantines the infected Workload.

Watch Now
Cloudvisory CSP Cloudvisory CSP Flow Details Cloudvisory CSP Flow Details

CSP flow data has added richness. Flow information is summarized per workload and logical group for an enhanced understanding of the environment, and faster triage of infected or malicious actions.


Policy Enforcement - Identify, Remediate, and Quarantine Automatically

Summary

Leveraging Azure’s, native security controls and APIs to protect cloud environments, delivers workloads that are more secure than those in traditional data centers. Cloudvisory is uniquely positioned to help you realize the full power of these tools through:

1) Continuous Discovery and Visualization of Infrastructure and Security Policies
2) Policy Organization, Orchestration and Automated Provisioning
3) Intelligent, granular, cloud-native microsegmentation
4) Continuous Monitoring, Enforcement, and auto-remediation of Security policies

CSP provides the necessary discovery and automation necessary for an Azure cloud security strategy. CSP’s organization, visibility, control and enforcement ensures security across your Azure and hybrid-cloud deployments.

Related Materials