πŸ’»
πŸ’»
πŸ’»
πŸ’»
Documentation
Search…
πŸ’»
πŸ’»
πŸ’»
πŸ’»
Documentation
Introduction
Index
Home
Login to hava
Hava API
Importing Data
Demo Data
AWS
Azure
Google Cloud
Import Errors
What's Visualized
Supported Cloud Providers
Quick Start
Hava Environments Dashboard
Viewing Environments
Search vs Filter
Infrastructure Diagram Visual Controls
Infrastructure Resource Attributes Tab
How to Sync Cloud Account Data
Cost Estimation
Reporting
AWS Compliance Reports
Versioning
Versioning
Tracking Changes in Cloud Architecture
Using the API
Authentication
Using Hava
Customize the Hava Dashboard
Viewing Route Tables
Viewing Network ACLs
Viewing resources in a Security Group
Defining Custom Environments
Discover Resources From Regions
Create a multiple VPC diagram
Export Diagrams
Editing Cloud Infrastructure Diagrams using Draw.io and Hava
Exporting an Environment Diagram
Embedded Viewer
Account
Types Of Hava Accounts
How to Cancel
How to change your Hava password
How to change your Hava subscription
Team Collaboration
Download Invoice
Discover
Importing
Searching
Collaboration
Teams
Inviting Users
Disabling users
SSO/SAML
Project Folders
Quick Look
Quick AWS Overview
Security Overview
Powered By GitBook
Security Overview
Security considerations when using Hava to automate your network topology diagrams.

Security Overview

Hava is a solution that allows you to automatically visualize aspects of your IT infrastructure from most of the major cloud providers. Once data is imported Hava generates a variety of different views such as infrastructure/network diagrams and security group diagnostics.
In a security conscious IT landscape, we completely appreciate the caution that you'd approach a product like have with.
When Hava imports data, it needs to be able to access resource attributes that can help us understand the identity, structure and behaviour of the systems we're going to diagram. When we retrieve data from AWS we use the various Describe methods, which can occasionally contain sensitive information.
The only fields that are stored in the database are those that relate to being able to generate diagrams or displaying certain attributes. We do not store the user_data field or anything that contains sensitive environment variables.
Credentials
AWS keys are stored using AES encryption, but we also promote using Amazon Cross Account Roles for allowing access which is promoted by AWS as best practice.
Finally, the user is free to tighten the IAM policy to whatever it is that they're comfortable with.
Hava will work past any resources that are restricted or can't be identified. This of course can cause diagram inaccuracy as we must be able to retrieve a rudimentary amount of the EC2 data to create anything useful.
Impact of the service failing β€Œ
Hava does not operate within the critical path of any user's workflow. Due to the nature of the service and the way it reads data from the user's cloud provider, the only impact of Hava not working would be the functionality of updating an existing, or creating a new diagram. Hava has no ability to change or update anything in your cloud environment, it is strictly a read-only interaction.β€Œ
Location of services
The current production environment is currently located within USA. If you have specific needs for this data to be stored elsewhere, please get in touch with us.
Data that it usesβ€Œ
Hava imports users data via the AWS, Azure and GCP APIs. The basic level of information it requires to generate a useful AWS visualization centers around the AWS EC2 service. We offer a variety of IAM policy configurations that can allow or deny access to certain calls based on the users security policy and comfort with the service. This allows for a "progressive enhancement" style algorithm depending on the access granted to certain resources.
Data that it stores
Hava stores metadata around each running service (i.e. resource ids, configuration values, current metrics) to allow diagrams to be identified and created. Hava imports no data from within user services, however you are welcome to alter the IAM policy to allow a level of access you are comfortable with.
Is it encrypted?
RDS is configured to store all data at rest. Additionally, column-level encryption of any secret credentials are performed to ensure that data cannot be decrypted without a private key from the application server - this protects against potentially harmful SQL injection attacks.
What control can we have?
Hava can offer a hosted solution for any users who prefer to maintain control over where their data is accessed, stored and hosted.
What protection is in place against unauthorised access?
Hava takes security very seriously. Only a small core group of senior employees have access to production data. Encryption is used by default for all network communication, and is also used within the database for any credentials. SSH and network-level access is disallowed on all servers, and we follow the principles of immutable artifacts and infrastructure to ensure what is tested is what is deployed.
Quick Look - Previous
Quick AWS Overview
Last modified 3mo ago
Copy link