Application Context
An Application is a collection of resources/infrastructure that’s dynamically built and maintained as infrastructure scales up or down to support users' workloads. These collections are built based on the presence tags configured within InsightCloudSec.
Applications are a powerful scoping mechanism that can be used to create different perspectives across the following parts of the product:
Create an application
InsightCloudSec runs a baseline job to group the resources based on the following settings. After the job runs, you can review the application summary.
- In InsightCloudSec, go to Inventory > Applications and click Settings.
- Enter one or more Tag Keys to help you easily filter all resources with the same tag.
- (Optional) To disable automatic grouping of resources with the same tag, enable Case Sensitive.
- (Optional) To automatically remove any whitespace or blank character from a tag key or value, enable Trim Whitespace. If whitespace is accidentally added to a tag or value, a new tag or value is created, which does not relate to the correctly named tag.
- Click OK.
Application Configuration
To configure the capability, browse to the "Resource --> Applications" section and click "Settings". From the Settings window, enter the tag key from which you wish to build applications. Information on each of the setting inputs can be found below.
- Tag Key -- This is the most critical setting as it provides InsightCloudSec with the key that maps to the Application name/identifier. Resources that have this tag key in place will be aggregated and linked together.
- Case Insensitive -- When enabled, tag key-value pairs will be converted to lowercase to ensure that casing inconsistencies do not result in separate application groupings. This is disabled by default.
- Trim Whitespace -- Often times when tagging resources, developers can mistakenly prepend/append whitespace to the tag key and/or value. As an example
" App_ID"
or"App_ID "
. The result of this whitespace would be a grouping into a separate application within ICS. By enabling this feature, the whitespace is removed.
Review application context
After the application job runs, the Application Summary page displays applications based on Business Critical association, criticality, and size. By default, all applications are imported as low criticality and not flagged as business critical.
Application Summary
Once configured, InsightCloudSec will kick off an initial baseline job to perform the first grouping of resources based on the supplied settings. For larger customers this process can take several minutes. Once complete, customers will see applications listed in the view. The Application Summary view breaks down applications based on Business Critical association, criticality, and size. By default, all applications are imported as low criticality and are not flagged as business critical. Customers can update application properties by clicking the settings gear for each application. Applications are kept in sync as a part of our standard data collection. When new resources are provisioned and existing resources are changed, we look at the tags to see if they match the configured Tag Key defined. This synchronization includes standard harvesting as well as event driven harvesting to keep application inventory synchronized in real time.
Customers will find statistics about each application aggregated within this view. Information on the total cloud accounts, resource count, compute cores, object storage, and block storage are summarized for each application. Check out the Frequently Asked Questions (FAQ) for additional context on this feature.
Edit an application
To edit application properties from Resources, go to Inventory > Applications, select your application, and click Settings.
To edit application properties from the Application Summary page, click the settings icon for each application.
(Optional) Configure advanced properties
You can enrich the Application system with additional properties/metadata. These properties can help with enriching InsightCloudSec reporting, filtering, automation, and more. We strongly recommend that customers take the time to update Application properties either in the UI or in bulk via our programmatic API.
- Go to the Application settings page.
- Enter a description.
- Select an Application Category.
- Determine whether the application is Business Critical by enabling or disabling the option.
- Enter a Point of Contact.
- Click OK.
Application Properties
Customers can enrich the Application system with additional properties/metadata. These properties can help with enriching InsightCloudSec reporting, filtering, automation, and more. We strongly recommend that customers take the time to update Application properties either in the UI or in bulk via our programmatic API. These properties are optional and not required.
- Description -- This provides a human readable description/name for the application. This can be helpful for customers that use application identifiers; for example:
App703205
. - Application Category -- An optional category that customers can use to group applications together. These can be used for filtering across the entire application, and in future releases, reporting capabilities will be expanded to aggregate at the application category level.
- Business Critical - Recommended to flag for a customer’s most critical applications that have a high impact on their business/operations. Sometimes referred to as a "crown jewel".
- Point-of-Contact -- The response party/contact for the application.
Applications in action
Applications are associated with many aspects of InsightCloudSec. The sections below outline some potential use cases for scoping with Applications throughout InsightCloudSec.
Layered Context
Use Layered Context for a high-level, resource-centric view of the most critical resources found in all environments that are connected to InsightCloudSec. Layered Context can be grouped by application to simplify viewing risk in the context of your various applications. Layered Context is one of the areas that benefits most from Applications. For example, they can be used as a pivot point to aggregate cloud misconfigurations, Threat Findings, and vulnerabilities. This allows application owners to gain quick insight into the issues that are most pertinent to their day-to-day operations. Beyond grouping constructs, Layered Context includes filters that can be used to identify signals and risks in applications specifically.
Resources
Resources are fundamental to every feature within InsightCloudSec. All services, utilities, or functions that make up your cloud are managed as Resources. After deploying our platform and connecting your cloud accounts, the Resources page is a single location from which to view resources across all of your cloud accounts. Viewing resource inventory within InsightCloudSec also benefits from Application Context. Like Clouds, Badges, and Resource Groups, Applications can be used to only display infrastructure associated with one or more selected applications. This allows application owners to get visibility into all of the compute, networking, storage, and identity that powers their application/workload.
On the Resources page, navigate to Scopes > Applications to view resources associated with your applications.
Compliance Scorecard
The Compliance Scorecard can provide visibility into compliance framework violations at the application level instead of at a cloud/badge level, which often can be far too granular. Customers can take advantage of Applications as a way to scope compliance scorecard results. This allows visibility into compliance framework violations at the application level, instead of at a cloud/badge level which often can be too granular. Application scoping extends beyond the filtering within the browser, allowing customers to pivot by application in the Excel and JSON subscription exports that are sent via Email and/or uploaded to Cloud Storage (for example, AWS S3).
Frequently Asked Questions (FAQ)
What is an application?
What is an Application?
An Application is a collection of resources/infrastructure that’s dynamically built and maintained as customer infrastructure scales up/down to support their workloads. These collections are built based on the presence of a specific tag key that is configured within InsightCloudSec.
What’s the difference between Applications and Resource Groups?
What’s the difference between Applications and Resource Groups?
There are similarities between Resource Groups vs Applications. They are not mutually exclusive and the customer can absolutely have both. There are several limitations of Resource Groups where Applications shine:
- Resource Groups need to be manually built and maintained. They cannot be dynamically created based on tagging, etc.
- Resource Groups cannot easily be kept in sync as resources change. Doing so requires customers to maintain Bots which presents scaling challenges since a Bot can only curate into a single group. If a customer wanted this for 100 groups they'd need 100 bots.
- Resource Groups do not support custom attributes such as criticality, business critical ("crown jewel"), POC, category, etc.
What if I don’t have a tag key that defines an application?
What if I don’t have a tag key that defines an application?
This capability is additive and is not required within InsightCloudSec. While strongly encouraged, customers can skip this set up and continue leveraging all of the great capabilities. We recommend reading up on Tagging Best Practices as proper tagging not only enriches the capabilities within InsightCloudSec, but within your CSP as well.
Where can Applications be used within the product?
Where can Applications be used within the product?
Applications can be used in the following sections of the tool:
- Resources
- Compliance Scorecard
- Insights
- Layered Context
- Host Vulnerabilities
- Exemptions
- Filters
There are plans to expand this to other areas in the coming months.
Can I leverage Applications as a way to scope user visibility across the product?
Can I leverage Applications as a way to scope user visibility across the product?
At this time Applications is not a supported permission scoping mechanism. Customers can scope by badges, clouds and/or resource groups.
Can I turn off Applications for basic users if I don’t want to use them?
Can I turn off Applications for basic users if I don’t want to use them?
Yes. Applications currently support User Entitlements Matrix, making it easy to turn off the capability for customers who are not interested in using it.
What’s the purpose of metadata fields such as Business Critical, Criticality, etc.?
What’s the purpose of metadata fields such as Business Critical, Criticality, etc.?
For the initial launch of Applications, the metadata fields can be used to help customers create different perspectives on compliance violations, inventory, vulnerabilities, threat findings. In the coming months, we will be leveraging this metadata as a way to better categorize risk.
Can I scope one or more Bots based on Application membership?
Can I scope one or more Bots based on Application membership?
At this time, Bots cannot use Applications as a scoping mechanism.
How do permissions work with Applications?
How do permissions work with Applications?
Domain/Organization Administrators have full control over Application management. This includes updating settings, modifying business critical status, and modifications to other metadata properties. When given the proper entitlements, basic users can view Applications, but can only see the infrastructure/resources within the application that are located in Cloud Accounts they have view/read access to. Basic users with editor permissions can update Application metadata/properties.
Can I bulk edit Application metadata?
Can I bulk edit Application metadata?
The UI currently does not have bulk update capabilities; however, the API allows for bulk updating. See our API documentation for more information.
Can a customer input multiple tag keys/permutations for defining Applications?
Can a customer input multiple tag keys/permutations for defining Applications?
At this time we only allow customers to input a single tag key. They can support multiple permutations of the tag key by selecting Case Insensitive
in the Application Settings screen. In future releases we will look to support multiple tag keys.
What is the Trim Whitespace Application setting used for?
What is the Trim Whitespace Application setting used for?
As one expects with tags, end-users can mistakenly add leading/trailing whitespace in their tag. As an example, instead of the application “ ProductionApp “
it would become “ProductionApp”
.
How are the Applications kept in sync?
How are the Applications kept in sync?
A processor runs every six hours to baseline and aggregate Applications across InsightCloudSec. As resources are harvested, their tags are analyzed and assessed to keep Application association in sync in real time.
Can I propagate lifecycle actions such as tagging for all resources within an Application?
Can I propagate lifecycle actions such as tagging for all resources within an Application?
At this time automation actions cannot be taken from the Application Context. We plan on adding this capability in Q2.
Can I view historical compliance results by Application in the Summary/Insight views?
Can I view historical compliance results by Application in the Summary/Insight views?
At this time we do not support historical analysis of Compliance/Insight results scoped by Application.
Can I combine Application scoping with other scoping methods (e.g., Badges)?
Can I combine Application scoping with other scoping methods (e.g., Badges)?
Scope combinations can be done within both the Layered Context and Host Vulnerability sections of the product. You cannot combine scopes within Insights, Resources, or the Compliance Scorecard.
Are there plans to support additional scoping by tags?
Are there plans to support additional scoping by tags?
Yes. Over the next few months, we will look to expand this construct to other tagging categories (Owner, Location, etc.).