Cloudvisory Use Cases
Multi-Cloud Use Cases
Multi-Cloud | Use Case 01
Compliance Guardrails for Mitigating Risk
Our internal users (of cloud resources) expect self-service, but our internal security team(s) require a minimum level of oversight and control over any security controls throughout the Organization. How can we continue to allow self-service for end-users while imposing sensible limits to prevent exposing the entire Organization to unnecessary risk?
CSP provides a flexible platform for enforcing good hygiene in the cloud. Users can set "guardrails" for allowed configurations throughout the cloud landscape, where the "guardrails" are Compliance Checks from one or more sources. While CSP provides thousands of customizable Compliance Checks out-of-the-box, CSP Users can also create custom checks in any language, or convert ad-hoc "Inspector" audits into recurring Compliance Checks. For example, a security administrator can use the CSP Network Policy Inspector to audit for Security Group Rules that should never exist in any cloud – rules that allow traffic from "untrusted" sources. As the security administrator creates ad-hoc searches for configurations of interest, they may choose to convert an especially useful search into an ongoing Compliance Check. The new Compliance Check sets a "Compliance Guardrail" – a new security standard – where CSP makes it easy to setup alerting and/or remediation as automated responses to any new Compliance Check failures.
Features
- Ad-hoc Audits
- Continuous Security Analytics
- Cloud Security Policy Management
- Compliance Guardrails
- Extendable Compliance Framework
- Risk Analysis & Remediation
- Vulnerability Management
Multi-Cloud | Use Case 02
Drill-Down, and Pivot
Our Security Team has limited resources, yet there seems to be no limit to the scale and distribution of our Cloud Assets. We need a cloud security solution that not only allows us to see everything (e.g. Assets, Context, Controls, Events), but also highlights the most efficient path forward for remediating risks and improving our cloud security posture.
Advances in cloud technology have empowered trends toward:
- • automated deployments
- • ephemeral infrastructure
- • highly distributed deployments
- • highly scalable (massive) deployments
- • self-service provisioning
- Ad-hoc Audits
- Automated Policy Governance
- Continuous Security Analytics
- Cloud Security Policy Management
- Single-pane-of-glass Security
- Network Flow Visualization
- Risk Analysis & Remediation
Multi-Cloud | Use Case 03
Scalability
We have a very large multi-cloud deployment. We have been unable to find a security solution that can handle the scale of our extremely large Organization while allowing our central security team to manage and monitor all Cloud Assets – and associated Security Controls – from a single interface.
The Cloudvisory Security Platform (CSP) is built with scalability in mind. Early on, Cloudvisory recognized that any complete cloud security solution would need to be both highly available and highly scalable, able to meet the reliability and performance demands of any organization of any size. Thus, every service in the automated CSP deployment is capable of being scaled-out in order to provide enhanced reliability and performance. CSP is built on industry leading NoSQL database technologies, capable of handling many millions of events-per-second while also providing rich security analytics and low-latency ad-hoc audits/queries against Terabytes of stored data. Cloudvisory provides capacity management and monitoring tools to allow Organizations to scale-out CSP hosts/services when and where needed.
- Continuous Security Analytics
- Single-pane-of-glass Security
Multi-Cloud | Use Case 04
Customizable Retention for Cloud Security Data
Regulatory requirements dictate that all security related data be retained in an online, searchable state for at least X months and in an archived state for at least Y years. We need a cloud security solution that scales well and can be customized to meet any retention requirement, even for exceptionally large cloud deployments.
Cloudvisory supports custom retention strategies for all forms of data collected or generated by the Cloudvisory Security Platform (CSP). Keeping data longer requires additional capacity in the CSP cluster, and – as a general rule – more resources under management results in more data collected and generated. Since capacity planning is specific to each Client, Cloudvisory focuses on providing mature automation tooling for deploying and scaling CSP clusters of any size in order to meet any Client's requirements for performance, reliability, and/or retention. Within this automation tooling, Cloudvisory makes it easy to setup automated backup routines for each type of data stored in CSP. Through a simple YAML configuration file, the Client may customize the destination, frequency, and retention parameters for automated backup routines to cloud object storage of your choice. For example, it is common to use cloud object storage (such as AWS S3) as the destination for all backups; where a given Client may choose to backup Compliance Check Data every 24 hours while retaining the source Compliance Check Data in the CSP cluster for a minimum 365 days, while the same Client may choose to backup Network Flow Data every hour but only retain this flow data in the CSP cluster for 30 days.
- Automated Policy Governance
- Continuous Security Analytics
AWS Use Cases
AWS | Use Case 01
Audit & Visualize Risks Detected in Configured State
Searching all relevant security configurations for any (or all) Cloud Assets is challenging, mostly due to the dynamic and scalable nature of cloud deployments, but also because the perception of Risk changes depending on who is assessing Risk... and when. We need the ability to audit Risks at scale, but with flexibility.
CSP allows users to search both the configured state of inventory Resources as well as the event history for those Resources. CSP exposes easy-to-use "Inspector" interfaces for generating ad-hoc queries of the configured state of Resources, such as the CSP Network Policy Inspector for auditing for risky configurations (rules) in network security groups. As CSP helps users identify risks via ad-hoc audits, CSP also provides tools for notifying stakeholders as well as for converting ad-hoc audits into continuous Compliance Guardrails.
Features
- Ad-hoc Audits
- Single-pane-of-glass Security
AWS | Use Case 02
Audit & Visualize Actual Workload Behavior
If it is difficult to audit and visualize security controls at scale, then it is nearly impossible to audit and visualize all security events at scale. We need a solution that can collect and process all of the event data we generate while making it simple to drill-down on the security events that really matter.
CSP allows users to search both the configured state of Cloud Resources as well as the event history for those Resources. CSP exposes a configurable "Visualization" interface for visualizing relations in the event history of discovered Cloud Resources, such as the Flow Visualization interface for auditing the history of network flows for all in-scope cloud assets in near-real-time.
CSP Users can clearly visualize any arbitrary set of Objects auto-discovered from registered Providers; including AWS Provider Accounts, Regions, VPCs, EC2 Instances, S3 Buckets, Lambda Functions, IAM Users and Roles, Metadata, Security Groups and Security Group Rules. CSP automatically analyses, learns, and maps actual network flows to Provider Objects (e.g. AWS Instances) and generates CSP Policy Recommendations via Machine Learning algorithms – where the network flows for all in-scope AWS EC2 Instances are also discovered by CSP via AWS VPC Flow Logs.
AWS Flow Logs
CSP Users can clearly visualize any arbitrary set of Objects auto-discovered from registered Providers; including AWS Provider Accounts, Regions, VPCs, EC2 Instances, S3 Buckets, Lambda Functions, IAM Users and Roles, Metadata, Security Groups and Security Group Rules. CSP automatically analyses, learns, and maps actual network flows to Provider Objects (e.g. AWS Instances) and generates CSP Policy Recommendations via Machine Learning algorithms – where the network flows for all in-scope AWS EC2 Instances are also discovered by CSP via AWS VPC Flow Logs.
AWS Flow Logs
- Ad-hoc Audits
- Continuous Security Analytics
- Single-pane-of-glass Security
- Network Flow Visualization
Kubernetes Use Cases
Kubernetes | Use Case 01
Network Flow Visibility
Kubernetes (k8s) provides no visibility into the actual network flows for k8s resources (e.g. Containers, Pods). For Compliance Assurance and/or troubleshooting, how can the network behavior of k8s resources be audited?
The Cloudvisory Security Platform (CSP) provides near-real-time visibility into the complete history of network flows to, from, and between Kubernetes Pods and Containers. CSP delivers Cloud-Native Security on Kubernetes through integrations with Kubernetes APIs and NetworkPlugins.
https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/
CSP collects network flow data from a Node-level agent, meaning that – regardless of how many Pods and Containers run on a given Node – Cloudvisory's lightweight flow collection agent runs on each Kubernetes Node as a Kubernetes DaemonSet in each Kubernetes Cluster monitored by CSP.
https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
The lightweight flow collection agent integrates with any Kubernetes NetworkPlugin that supports Kubernetes NetworkPolicies. Cloudvisory has found Calico plugin (calico-cni) to be the most common NetworkPlugin for large Kubernetes clusters.
https://docs.projectcalico.org/v1.5/getting-started/kubernetes/installation/
CSP automatically discovers all resources within a given Kubernetes cluster and adds contextual data to reported network flow information by matching Kubernetes network flows to the IP address of the associated Kubernetes Pod. CSP Users visualize ingress and egress network flows for Kubernetes resources, providing a clear visual mapping of observed network flows across Kubernetes Clusters, Namespaces, Pods, and Containers.
CSP can also compare observed network flows to configured Network Policies for Kubernetes resources, providing configurable alerting and/or remediation for policy violations.
https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/
CSP collects network flow data from a Node-level agent, meaning that – regardless of how many Pods and Containers run on a given Node – Cloudvisory's lightweight flow collection agent runs on each Kubernetes Node as a Kubernetes DaemonSet in each Kubernetes Cluster monitored by CSP.
https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
The lightweight flow collection agent integrates with any Kubernetes NetworkPlugin that supports Kubernetes NetworkPolicies. Cloudvisory has found Calico plugin (calico-cni) to be the most common NetworkPlugin for large Kubernetes clusters.
https://docs.projectcalico.org/v1.5/getting-started/kubernetes/installation/
CSP automatically discovers all resources within a given Kubernetes cluster and adds contextual data to reported network flow information by matching Kubernetes network flows to the IP address of the associated Kubernetes Pod. CSP Users visualize ingress and egress network flows for Kubernetes resources, providing a clear visual mapping of observed network flows across Kubernetes Clusters, Namespaces, Pods, and Containers.
CSP can also compare observed network flows to configured Network Policies for Kubernetes resources, providing configurable alerting and/or remediation for policy violations.
Features
- Ad-hoc Audits
- Automated Policy Governance
- Continuous Security Analytics
- Single-pane-of-glass Security
- Network Flow Visualization
Kubernetes | Use Case 02
Microsegmentation Made Easy
Kubernetes provides substantial benefits from automation and scalability, though Kubernetes also presents substantial challenges for network security. A complete cloud security solution should natively support microsegmentation of Kubernetes applications via Kubernetes Network Policies.
Most cloud security solutions ignore Kubernetes, whereas Cloudvisory has native support for visibility, compliance & governance on Kubernetes. In the Cloudvisory Security Platform (CSP), Kubernetes is a first-class cloud provider. In fact, some CSP features work better on Kubernetes than on other cloud providers. CSP supports automated network security policy governance by associating microsegmentation network policies with cloud assets via asset metadata. In other words, CSP can use metadata (e.g. tags, labels) to map and enforce least-privilege network policies to cloud assets, such as when mapping microsegmentation policies to Kubernetes Pods by using the "Labels" for the Pod(s). This fits with the native operating model for any Kubernetes cluster, where policies and actions within a Kubernetes cluster are essentially governed by comparing rules against Labels.
- Ad-hoc Audits
- Continuous Security Analytics
- Single-pane-of-glass Security
- Network Flow Visualization
- Automated Policy Governance
- Cloud Security Policy Management
- Compliance Guardrails
- Intelligent Microsegmentation
- Threat Detection & Response
Openstack Use Cases
Openstack | Use Case 01
Multi-Cloud, Single-Pane-of-Glass Security Management
Managing multiple OpenStack deployments is a pain. We need a single-pane-of-glass from which we can find out what is happening in all of our cloud deployments, at any time.
Sadly, OpenStack is not perfect. Historically, it has been difficult to both deploy, maintain, and upgrade large OpenStack clusters while providing reliable performance to many resident Instances / Projects / Customers / Business Units. While deployment tools for OpenStack have improved – as has scalability – over time, many in-place OpenStack deployment architectures are still designed around the historical weaknesses of OpenStack. Thus, Cloudvisory commonly sees customers with many separate (completely unfederated) deployments of OpenStack clusters of some fixed maximum size. This pattern has been furthered by trends toward Network Function Virtualization (NFV), as driven by global Telecoms pursuing next-generation network technologies. Though CSP must adjust the way it registers and discovers multiple distinct OpenStack "Provider" accounts, the distinction between federated versus unfederated OpenStack deployments makes no difference in to users in the CSP UI.
Features
- Ad-hoc Audits
- Cloud Security Policy Management
- Continuous Security Analytics
- Single-pane-of-glass Security
- Compliance Guardrails
Openstack | Use Case 02
Audit and Manage Multiple OpenStack Clouds, Clusters, and Regions
We have multi-region OpenStack deployments and/or multiple separate (not federated) OpenStack deployments. How do we audit and manage consistent security policies across all of our OpenStack deployments and/or regions?
Auditing and managing OpenStack security is hard enough with a single-region, single-cluster deployment. Even then, there is no visibility into the actual behavior of OpenStack Tenants / Projects / Instances.
Perhaps the most common CSP Use Case for Cloudvisory customers running OpenStack – CSP provides a single-pane-of-glass user interface (as well as a REST API) for discovering, monitoring, and managing multiple OpenStack clouds. Whether your Organization's OpenStack deployments are federated (multi-region) or separated (individual regions), your Organization's operations end up requiring a common method of managing multiple OpenStack clouds and/or regions.
CSP is multi-region capable for OpenStack (API) "Providers" in CSP, but still Cloudvisory commonly sees OpenStack customers using CSP to monitor multiple, multi-region OpenStack clouds. For example, a large Organization running OpenStack for its own Private Cloud purposes is likely to have at least one team dedicated to developing, maintaining, and providing OpenStack (Infrastructure) as-a-Service; and it is common for the IaaS group to actually have separate multi-region OpenStack deployments for Dev/Lab, QA, Staging, and Production versions of OpenStack deployments. CSP provides visibility into both development and security operations on OpenStack and is used by Organizations (such as in this example) to provide near-real-time Visibility as well as historical Auditing of network flow activity to, from, and between and OpenStack Instance in any Project / Region / Deployment.
Perhaps the most common CSP Use Case for Cloudvisory customers running OpenStack – CSP provides a single-pane-of-glass user interface (as well as a REST API) for discovering, monitoring, and managing multiple OpenStack clouds. Whether your Organization's OpenStack deployments are federated (multi-region) or separated (individual regions), your Organization's operations end up requiring a common method of managing multiple OpenStack clouds and/or regions.
CSP is multi-region capable for OpenStack (API) "Providers" in CSP, but still Cloudvisory commonly sees OpenStack customers using CSP to monitor multiple, multi-region OpenStack clouds. For example, a large Organization running OpenStack for its own Private Cloud purposes is likely to have at least one team dedicated to developing, maintaining, and providing OpenStack (Infrastructure) as-a-Service; and it is common for the IaaS group to actually have separate multi-region OpenStack deployments for Dev/Lab, QA, Staging, and Production versions of OpenStack deployments. CSP provides visibility into both development and security operations on OpenStack and is used by Organizations (such as in this example) to provide near-real-time Visibility as well as historical Auditing of network flow activity to, from, and between and OpenStack Instance in any Project / Region / Deployment.
Features
- Ad-hoc Audits
- Single-pane-of-glass Security
Openstack | Use Case 03
Proven Performance in Production OpenStack
There are many cloud security vendors in the market, but it seems that they either do not support OpenStack or, perhaps worse, they want to do something terrible and disgusting to our OpenStack deployment(s) just to get their product integration working. The more we talk to security vendors, the more we realize that they do not care – or know anything – OpenStack. We need a security vendor with a proven track record in high-performance, production OpenStack deployments.
Cloudvisory's customers use the Cloudvisory Security Platform (CSP) to centralize the management of many large, production OpenStack deployments. APIs for OpenStack services – such as Keystone, Nova, and Neutron – provide the main CSP integration with OpenStack. Cloudvisory automatically discovers and maps inventory assets within OpenStack – such as OpenStack Services, Regions, Projects, Networks, Instances and Security Groups – and allows CSP Users to audit and visualize all resources in any OpenStack deployment. Cloudvisory can also monitor network flows between OpenStack Nova Instances and/or OpenStack Neutron Ports via a lightweight hypervisor agent (on OpenStack Compute nodes only) with minimal dependencies. In order to "secure OpenStack, without ruining OpenStack", Cloudvisory ensures its OpenStack integrations are as lightweight and seamless as possible. Cloudvisory's solution has proven the ability to dynamically monitor and protect hundreds of thousands of OpenStack Instances – including the millions of network flows to and from those instances – without introducing any detectable latency and without blocking the upgrade path for OpenStack itself.
Features
- Ad-hoc Audits
- Single-pane-of-glass Security
Openstack | Use Case 04
Automating Continuous Compliance for OpenStack Infrastructure
Demonstrating continuous compliance for our OpenStack infrastructure seems extremely arduous. Our OpenStack infrastructure team is great at operating OpenStack, and we think our OpenStack infrastructure uses (mostly) secure configurations. However, our highly-regulated Organization requires that we are able to prove compliance at any time in order to establish and maintain due diligence as the Infrastructure-as-a-Service (IaaS) Provider to our resident Tenants / Projects / Business Units. How do we automate Compliance Assurance so that our talented OpenStack team members can focus on operations and spend less time explaining OpenStack to an external Auditor?
Cloudvisory provides out-of-the-box Compliance Checks for the OpenStack Security Checklist, which is part of the community-maintained OpenStack Security Guide. Cloudvisory also provides out-of-the-box Compliance Checks for CIS Benchmarks on CentOS, Redhat, Ubuntu 16.04, and Ubuntu 18.04. Wherever possible, built-in Compliance Checks include the ability to automate the remediation of Compliance Check Failures (Risks) via 1) automated or 2) push-button response.
https://docs.openstack.org/security-guide/index.html https://docs.openstack.org/security-guide/checklist.html https://www.cisecurity.org/benchmark/centos_linux/ https://www.cisecurity.org/benchmark/red_hat_linux/ https://www.cisecurity.org/benchmark/ubuntu_linux/
Cloudvisory designed its Compliance Framework to be highly extendable, and highly customizable, by default. Thus, Cloudvisory makes it easy to add and/or customize Compliance Checks in several ways, enabling CSP Users to:
only enable Compliance Checks that make sense for your organization; customize the run frequency for a given Compliance Check or Compliance Group (of checks); customize the severity assigned when a given Compliance Check reports a 'FAILING' status; create custom checks in the programming language of your choice; create custom attribute checks from templates in the CSP UI and/or YAML files; convert ad-hoc queries into recurring Compliance Checks via the CSP UI. However you choose to extend the Compliance Framework, Cloudvisory makes it simple for you to encapsulate your business requirements as code for continuous compliance assurance.
https://docs.openstack.org/security-guide/index.html https://docs.openstack.org/security-guide/checklist.html https://www.cisecurity.org/benchmark/centos_linux/ https://www.cisecurity.org/benchmark/red_hat_linux/ https://www.cisecurity.org/benchmark/ubuntu_linux/
Cloudvisory designed its Compliance Framework to be highly extendable, and highly customizable, by default. Thus, Cloudvisory makes it easy to add and/or customize Compliance Checks in several ways, enabling CSP Users to:
only enable Compliance Checks that make sense for your organization; customize the run frequency for a given Compliance Check or Compliance Group (of checks); customize the severity assigned when a given Compliance Check reports a 'FAILING' status; create custom checks in the programming language of your choice; create custom attribute checks from templates in the CSP UI and/or YAML files; convert ad-hoc queries into recurring Compliance Checks via the CSP UI. However you choose to extend the Compliance Framework, Cloudvisory makes it simple for you to encapsulate your business requirements as code for continuous compliance assurance.
Features
- Automated Policy Governance
- Cloud Security Policy Management
- Compliance Guardrails
- Continuous Security Analytics
- Extendable Compliance Framework
- Risk Analysis & Remediation
- Vulnerability Management
Openstack | Use Case 05
Ad-hoc Searches for Auditing Risk in Configured State
Searching all relevant security configurations for any (or all) Cloud Assets is challenging, mostly due to the dynamic and scalable nature of cloud deployments, but also because the perception of Risk changes depending on who is assessing Risk... and when. We need the ability to audit Risks at-scale, but with flexibility.
CSP allows users to search both the configured state of inventory Resources as well as the event history for those Resources. CSP exposes easy-to-use "Inspector" interfaces for generating ad-hoc queries of the configured state of Resources, such as the CSP Network Policy Inspector for auditing for risky configurations (rules) in network security groups. As CSP helps users identify risks via ad-hoc audits, CSP also provides tools for notifying stakeholders as well as for converting ad-hoc audits into continuous Compliance Guardrails.
Features
- Ad-hoc Audits
- Automated Policy Governance
- Cloud Security Policy Management
- Compliance Guardrails
- Continuous Security Analytics
- Extendable Compliance Framework
- Risk Analysis & Remediation
- Vulnerability Management
- Single-pane-of-glass Security
Openstack | Use Case 06
Audit & Visualize Actual Workload Behavior
If it is difficult to audit and visualize security controls at scale, then it is nearly impossible to audit and visualize all security events at scale. We need a solution that can collect and process all of the event data we generate while making it simple to drill-down on the security events that really matter.
CSP allows users to search both the configured state of Cloud Resources as well as the event history for those Resources. CSP exposes a configurable "Visualization" interface for visualizing relations in the event history of discovered Cloud Resources, such as the Flow Visualization interface for auditing the history of network flows for all in-scope cloud assets in near-real-time.
CSP Users can clearly visualize any arbitrary set of Objects auto-discovered from registered Providers; including OpenStack Provider Accounts, Regions, Projects, Instances, Metadata, Security Groups and Security Group Rules. CSP automatically analyses, learns, and maps actual network flows to Provider Objects (e.g. OpenStack Instances) and generates CSP Policy Recommendations via Machine Learning algorithms – where the network flows for all hosted OpenStack Instances are also discovered by CSP via the cvagent running in OpenStack "hypervisor mode" on each OpenStack compute hypervisor.
CSP Users can clearly visualize any arbitrary set of Objects auto-discovered from registered Providers; including OpenStack Provider Accounts, Regions, Projects, Instances, Metadata, Security Groups and Security Group Rules. CSP automatically analyses, learns, and maps actual network flows to Provider Objects (e.g. OpenStack Instances) and generates CSP Policy Recommendations via Machine Learning algorithms – where the network flows for all hosted OpenStack Instances are also discovered by CSP via the cvagent running in OpenStack "hypervisor mode" on each OpenStack compute hypervisor.
Features
- Ad-hoc Audits
- Continuous Security Analytics
- Network Flow Visualization
- Single-pane-of-glass Security
Openstack | Use Case 07
Support for Alternative OpenStack Deployment Architectures
Getting ready for 5G means getting good at NFV. Minimizing latency between virtualized network functions is paramount. Thus, migrating to an alternative / next-generation (Neutron) network architecture for OpenStack is now a critical business priority. Any security solution for OpenStack must be able to support the chosen architecture without replacing components or adding latency between NFV functions.
Cloudvisory's staff includes experienced Developers and Operators from the OpenStack Community. Cloudvisory understands that production OpenStack deployments are designed and tuned for a purpose, and there really is no "standard" OpenStack deployment from one Enterprise to the next. Cloudvisory is the only vendor that has figured out how to "secure OpenStack without ruining OpenStack", and we have carried this mantra forward as we develop enhanced support for native network monitoring and enforcement on next-generation OpenStack Neutron architectures. Specifically, Cloudvisory is getting ready for supporting the 5G Telecoms of the world by developing support for the OpenStack Neutron Layer-2 architectures which power low-latency NFV on OpenStack, including Open vSwitch (OVS) with DPDK and VPP with DPDK.
https://my-vpp-docs.readthedocs.io/en/latest/gettingstarted/users/configuring/startup.html
http://docs.openvswitch.org/en/latest/howto/dpdk/
https://my-vpp-docs.readthedocs.io/en/latest/gettingstarted/users/configuring/startup.html
http://docs.openvswitch.org/en/latest/howto/dpdk/
Features
- Intelligent Microsegmentation
- Continuous Security Analytics
- Network Flow Visualization
- Single-pane-of-glass Security
© 2020 Cloudvisory, Now a part of FireEye, Inc.