Introduction to EndState CloudSec
Welcome to EndState CloudSec, your unified platform for visualizing, defining, and deploying cloud security policies across multiple providers.
The Challenge
Managing network security in a multi-cloud environment is complex. Each provider (AWS, Azure, GCP) has its own set of tools, concepts, and interfaces for defining security rules like Security Groups, Network Security Groups, and VPC Firewall Rules. This fragmentation leads to:
- Inconsistent Policies -- It is difficult to ensure that a security policy applied in one cloud has an equivalent in another.
- Lack of Visibility -- There is no single place to see how your resources are segmented and how data is allowed to flow between them.
- Manual Deployment Risk -- Manually translating high-level security requirements into provider-specific rules is tedious and prone to human error, which can lead to security gaps.
- Complex Auditing -- Verifying that the deployed rules actually match the intended security posture requires deep expertise in each cloud provider's tooling.
The EndState CloudSec Solution
EndState CloudSec provides a provider-agnostic abstraction layer to solve these challenges. It allows you to define your security posture in a simple, visual, and centralized way, and then automatically translate it into the native configuration for each of your cloud providers.
Key Concepts
| Concept | Description |
|---|---|
| Profiles | Connect your cloud provider accounts (AWS, Azure, GCP) using secure, API-based authentication. |
| Resource Discovery | Once connected, EndState CloudSec automatically discovers your existing network resources like subnets, VMs, and database endpoints. |
| Zones | Create logical security zones (e.g., Public DMZ, Data Zone, PCI-Compliance Zone) and assign your discovered resources using drag-and-drop. |
| Flows | Visually define the allowed data flows between your zones. For example, allow TCP/5432 from your Application Zone to your Data Zone. |
| Deployment Plan | Based on your zones and flows, the application generates a clear, abstract deployment plan. |
| Automated Translation | The abstract plan is translated into concrete, provider-specific actions, such as creating a Security Group in AWS or adding a rule to a Network Security Group in Azure. |
| Review and Deploy | Review every proposed API call before approving and executing the deployment. The system identifies which rules already exist and which are new. |
| Validation | After deployment, run automated checks to verify that the live cloud configuration correctly implements the data flows you defined. |
Multi-Tenant Design
EndState CloudSec is built as a multi-tenant platform. Each customer organization is fully isolated:
- Organization-scoped data -- All cloud profiles, zones, flows, and audit logs are scoped to an organization.
- Data isolation -- Strict security policies ensure that users can only access data belonging to their organization.
- Role-based access -- Users can be assigned
owner,admin, ormemberroles within their organization. - Invitation system -- Organization admins can invite new team members via email.
Subscription Plans
| Plan | Price | Features |
|---|---|---|
| Starter | $29/mo | 4 clouds, 2 zones, 2 flows, email support |
| Professional | $120/mo | 4 clouds, 3 zones, 3 flows, email support |
| Enterprise | $840/mo | 4 clouds, unlimited zones, unlimited flows, priority phone & email support |
This documentation will guide you through each of these features, helping you take control of your multi-cloud security posture.