Security considerations when using Hava to automate your network topology diagrams.
Hava is a solution that allows you to automatically visualize aspects of your IT infrastructure from most of the major cloud providers. Once data is imported Hava generates a variety of different views such as infrastructure/network diagrams and security group diagnostics.
In a security conscious IT landscape, we completely appreciate the caution that you'd approach a product like have with.
When Hava imports data, it needs to be able to access resource attributes that can help us understand the identity, structure and behaviour of the systems we're going to diagram. When we retrieve data from AWS we use the various Describe methods, which can occasionally contain sensitive information.
The only fields that are stored in the database are those that relate to being able to generate diagrams or displaying certain attributes. We do not store the user_data field or anything that contains sensitive environment variables.
AWS keys are stored using AES encryption, but we also promote using Amazon Cross Account Roles for allowing access which is promoted by AWS as best practice.
Finally, the user is free to tighten the IAM policy to whatever it is that they're comfortable with.
Hava will work past any resources that are restricted or can't be identified. This of course can cause diagram inaccuracy as we must be able to retrieve a rudimentary amount of the EC2 data to create anything useful.
Impact of the service failing
Hava does not operate within the critical path of any user's workflow. Due to the nature of the service and the way it reads data from the user's cloud provider, the only impact of Hava not working would be the functionality of updating an existing, or creating a new diagram. Hava has no ability to change or update anything in your cloud environment, it is strictly a read-only interaction.
Location of services
The current production environment is currently located within USA. If you have specific needs for this data to be stored elsewhere, please get in touch with us.
Data that it uses
Hava imports users data via the AWS, Azure and GCP APIs. The basic level of information it requires to generate a useful AWS visualization centers around the AWS EC2 service. We offer a variety of IAM policy configurations that can allow or deny access to certain calls based on the users security policy and comfort with the service. This allows for a "progressive enhancement" style algorithm depending on the access granted to certain resources.
Data that it stores
Hava stores metadata around each running service (i.e. resource ids, configuration values, current metrics) to allow diagrams to be identified and created. Hava imports no data from within user services, however you are welcome to alter the IAM policy to allow a level of access you are comfortable with.
Is it encrypted?
RDS is configured to store all data at rest. Additionally, column-level encryption of any secret credentials are performed to ensure that data cannot be decrypted without a private key from the application server - this protects against potentially harmful SQL injection attacks.
What control can we have?
Hava can offer a hosted solution for any users who prefer to maintain control over where their data is accessed, stored and hosted.
What protection is in place against unauthorised access?
Hava takes security very seriously. Only a small core group of senior employees have access to production data. Encryption is used by default for all network communication, and is also used within the database for any credentials. SSH and network-level access is disallowed on all servers, and we follow the principles of immutable artifacts and infrastructure to ensure what is tested is what is deployed.
If you are ever concerned that your credentials have been compromised or you want to report a security incident or issue to the Hava team, please contact us at [email protected].