Unlike existing solutions that are based on virtualized and/or host-based firewalls, Cloudvisory leverages the Cloud Provider’s existing cloud-native security controls to enforce workload microsegmentation. Using cloud-native APIs for infrastructure and data flow discovery – Cloudvisory accelerates deployments, eliminates misconfigurations and minimizes the overhead associated with managing least-privilege polices at scale.
CSP enforces microsegmentation rules by comparing policy intent against workload context (e.g. tags, region, provider, provider account, group membership, etc.), dynamically orchestrating policy updates in response to environmental changes.
CSP enforces microsegmentation rules based on static policies for IP addresses, providing recommendations for policy updates by leveraging Machine Learning correlations between actual network flows and and current network policies.
Choose a single approach – or mix-and-match both solutions – to tailor the implementation of microsegmentation policies to meet the needs of distinct Business Units and/or Organizations.
Cloudvisory enables a Contextual approach to Microsegmentation to stop cyber-attacks in public- and private-cloud environments. The Cloudvisory Security Platform (CSP) automatically discovers existing workloads and their data flows across multiple cloud providers to generate segmentation policies based on Workload Context. Granular whitelist (i.e. microsegmentation) policies only allow required network connections to/from a workload or application, blocking everything else. As the environment changes (e.g. as Workloads are added and/or removed), CSP immediately calculates and provisions the required microsegmentation policies based on Workload Context. This results in highly consistent and immutable security policies spanning complex hybrid- and multi-cloud environments.
Contextual Microsegmentation provides operational agility to Business, DevOps & Security Teams by removing the complexity of managing microsegmentation rules at scale. Unlike legacy solutions which have limited context, Cloudvisory’s unique architecture imposes no limits on logical groupings of cloud assets for purposes of Contextual Microsegmentation.
Microsegmentation is not achieved in a vacuum. Organizations with mature cloud security practices may already implement "golden state" network policies aligned with existing operational processes and technology. In such cases, the Contextual Microsegmentation approach may not be appropriate. Yet, "golden state" is often far from perfect and – in any case – requires refinement over time.
Cloudvisory recognizes the need to work with existing processes and technologies while also providing a path forward for improving existing security controls in concert with environmental changes. Therefore, Cloudvisory enables microsegmentation based on "golden state" through:
CSP learns existing policies and suggests intelligent improvements based on actual network flows. Mature cloud security teams may use CSP to learn and enforce existing "golden state" cloud security policies, automatically detecting changes and generating corresponding alerts and recommendations without interfering with existing business automation processes.
Public and Private Cloud environments have powerful security controls embedded in their infrastructure. When configured correctly, these native security controls provide the strongest support to protect dynamic applications and micro-services running in the cloud. Legacy security controls are static, difficult to scale, complex to configure, and were not designed for cloud environments. These legacy tools cannot be retro-fitted to work smoothly in cloud environments. Due to the whitelisting nature of cloud infrastructures, legacy segmentation’s own controls will not work if cloud security controls are not configured accurately. CSP automatically provisions, secures, and monitors multiple cloud environments using enforcement controls that are native to each cloud provider.
Whether in modern cloud environments or legacy datacenter deployments, attackers know that most organizations:
Since most organizations focus most of their defense efforts on perimeter-based, preventive controls – modern attackers still spend most of their time and resources attempting to breach perimeter defenses. Experience has taught them that getting "beyond the castle walls" is the hard part. Once inside, attackers expect to be able to navigate with relative impunity
and, thus, can take their time poking and prodding their way through the enterprise – maintaining Command & Control while moving laterally toward their high-value target(s).
As enterprises move to multi-cloud deployments, the enterprise "perimeter" has gone from being centralized, static and physically defined – to distributed (think "multi-cloud"), dynamic (configurable through Cloud Provider APIs) and logically defined (think "floating / public IPs"). On top of this, self-service cloud (virtualization) technologies have improved efficiency and scalability at the expense of security and visibility. There are simply more security-relevant assets and controls, changing more often, than ever before.
Thus, a new approach is needed – one that allows organizations to continue to benefit from the efficiency and scalability made possible by the cloud while enhancing security operations through deep Visibility, continuous Compliance, and enforceable Governance.
Good Governance relies on deep Visibility and continuous Compliance. To complete the microsegmentation journey, one must understand where to begin and must also have the tools (stepping stones) to move quickly down the right path.
Visibility into actual network behavior provides the first step in achieving microsegmentation.
Visibility provides a foundation for Compliance Guardrails, which set sensible limits on allowed (self-service) policies while providing stepping stones on the road to microsegmentation-by-default.
Governance goes beyond Compliance in order to set explicit policies for specific cloud workloads, enforcing consistent security policies across cloud providers, accounts & regions.
© 2020 Cloudvisory, Now a part of FireEye, Inc.