Release Notes

This topic lists both latest features now available in ACE and important documentation updates.

Note: In our technical documentation, we use the term "Azure Firewall" to refer to Azure Firewall (Policy-based) devices, distinguishing it from Azure Firewall (Classic).

March 2025 Update

New Virtual Machines Tab on the Overview Page

Introducing the new Virtual Machines tab on the Overview page, letting you view VMs from your selected Account, VPN/Vnets, or Vendor. You can quickly spot VMs with critical risks or confirm proper public IP allocations. Click any VM to see its associated risk triggers and learn more about it. See Review Account Status. (Released 18-Mar-2025)

AWS cross-account resource sharing

Cloud App Analyzer now supports discovering applications whose resources are cross accounts. The AWS collector gathers ownership details for the following resource types:

  • EC2 instances

  • Internet gateways

  • Network interfaces

  • VPCs

  • Subnets

  • Route tables

  • Security groups

  • VPC endpoints

  • Network ACLs

If any resource is from another AWS account, an AWS account node is added to the dependency graph.

The badge on this node shows how many risks were detected across the applications, discovered in that external account.

Clicking the node opens the applications page with a deep link to the selected AWS account. (Released 4-Mar-2025)

Cloud App Analyzer Application Discovery now supports Azure AKS Integration

Cloud App Analyzer Application Discovery now discovers and visualizes the structure and organization of AKS clusters, highlighting Kubernetes-related risks such as risky configurations, vulnerabilities, and exposed secrets. It also integrates results from both static and dynamic container analyses for the containers running workloads in AKS. See Cloud App Analyzer Application Discovery. (Released 3-Mar-2025)

February 2025 Update

AWS SOC 2 Compliance Scanning

Now for AWS, Cloud App Analyzer helps you stay compliant with the SOC 2 standard across all your cloud assets and applications. The SOC 2 compliance framework is designed to ensure third-party service providers securely store and process client data. (released 18-Feb-2025)

New VM Scanner

Introducing the new Cloud App Analyzer VM Scanner that enhances cloud workload security by providing agentless scanning for virtual machines, starting with support for AWS EC2 instances. This robust solution addresses the growing complexity of securing workloads in cloud environments, focusing on:

  1. Vulnerability Assessment

  2. Antivirus and Malware Detection

  3. Exposed Secrets Identification

See Enable Virtual Machine Security. (released 7-Feb-2025)

January 2025 Update

New VPCs / VNets tab

We've added a new VPCs / VNets tab to the Overview page that lets you see an aggregated view of all your AWS VPCs, Google Cloud VPCs and Azure VNets from multiple accounts. Easily identify VPCs / VNets that have low security ratings, risky virtual machines, critical risks, and other vital information to better manage your cloud security. Use the filters to focus on a subset of VPCs / VNets, for example to find virtual machines with public addresses. For more details, see VPCs / VNets tab . (Released 23-Jan-2025)

AWS WAF Support in Cloud App Analyzer

We’re excited to announce that Cloud App Analyzer now supports AWS WAF (Web Application Firewall), enabling enhanced visibility and control over your web application security. This new capability empowers you to seamlessly integrate WAF configurations into your security workflows, giving you greater control and protection. Gain insights into your Web Access Control Lists for improved application-level threat management. Analyze and manage AWS WAF rule groups to fine-tune your WAF policies. Expanded support for related AWS WAF resource types provide a more comprehensive security view. (released 14-Jan-2025)

AWS Organizational Unit insights in Cloud App Analyzer

Cloud App Analyzer now displays AWS account organizational unit information (when available), expanding AWS account search and filter capabilities to include organizational units. You can view the new Organizational Unit (Account OU) column on the AWS Dashboard as well as in multi-account data tables. See Getting Around Cloud App Analyzer. (released 14-Jan-2025)

December 2024 Update

New APIs to download scheduled reports

AlgoSec can now automatically create scheduled Policy and Risk CSV reports via APIs. The report can be used for status archiving purposes and for business integration (BI). See Export risk and risk trigger details and Export Policy Sets. (Released 17-December-2024)

Export risk details to a CSV file

You can now export all your Azure NSG, Azure Firewall, and Google Cloud risks to a CSV report—expanding on the existing capability to export risk details for AWS. The CSV report includes detailed information about the risks, the affected virtual machines, the tags associated with them, and information about the associated network interfaces. This allows for easy sharing with relevant stakeholders, further analysis and using it in external business intelligence (BI) systems. For details, see Export risk and risk trigger details. (Released 10-December-2024)

Quick access to Cloud Network Security from Cloud App Analyzer

For a holistic view of your associated firewall policies and associated risks, use the new link Go to AlgoSec Cloud located in the user menu. See 6 User name (with dropdown menu). (released 17-Dec-2024)

Improved Cloud App Analyzer Navigation

We’ve reorganized the menu navigation so that it now groups items in a more logical way. This includes creating a new Settings and Configuration section. (released 17-Dec-2024)

AWS Network Firewall Networking Risk Analysis

Cloud App Analyzer now supports comprehensive risk analysis for AWS Network Firewall and Firewall Policies. This enhancement consolidates all identified issues into a single view, allowing you to easily assess risks across both firewalls and their associated policies. For each issue, you'll find detailed information, including severity levels and actionable remediation steps, empowering you to address vulnerabilities effectively and maintain a robust security posture. (released 10-Dec-2024)

November 2024 Update

Google Cloud Network Firewall Policy | Secure tag keys

Cloud Network Security now collects Network Firewall Policy secure tag keys. This information is used for Google Cloud Traffic Simulations.

The following additional permission is required for this feature to work correctly:

  • resourcemanager.tagKeys.list

For details on permissions, see Permissions required for Google Cloud. (Released 12-November-2024)

VPC Summary | See Public IPs and Private Subnets

Now you can see the public IP addresses and private subnets associated with all interfaces in Azure VNets and AWS/Google Cloud VPCs. For more details, see The Account Summary Tab. (Released 12-November-2024)

Extended export to PDF and CSV capabilities

Now you can export detected risks, scan results, history of pull requests and applications, to PDF and CSV files. (Released 26-Nov-2024)

Streamlined Azure Onboarding: Enhanced Security with Custom Roles

We have updated the onboarding script for Azure, replacing the contributor role with a new custom role with more limited permissions, as follows:

  • "Microsoft.EventGrid/eventSubscriptions/read"
  • "Microsoft.ContainerRegistry/registries/read"
  • "Microsoft.EventGrid/eventSubscriptions/write"
  • "Microsoft.Web/sites/functions/write"

Existing customers who onboarded Azure prior then 18-Nov-2024 can now reduce the permissions by reonboarding Azure. See Cloud App Analyzer Azure Onboarding Script. (Released 18-Nov-2024)

October 2024 Update

Google Cloud Network Firewall policy visibility

Cloud Network Security now displays Google Cloud Network Firewall policies for each VPC in the Firewall Policies Tab.

Note: Additional permissions is required for this feature to work correctly:

  • compute.regionFirewallPolicies.list

    (this replaces the obsolete permission compute.regionNetworkFirewallPolicies.list)

For details on permissions, see Permissions required for Google Cloud.

For details see Network policy sets. (Released 23-October-2024)

Additional permissions required to onboard GCP via Terraform, API and No Script

Additional permissions are required to onboard GCP via Terraform, API and No Script:

  • compute.interconnectAttachments.list

  • compute.interconnects.list

For details on permissions, see Permissions required for Google Cloud (Released 23-October-2024)

Azure onboarding script explained

We've added a new topic explaining the azure onboarding script outlining purpose and functionality of each part of the code. See Cloud App Analyzer Azure Onboarding Script. (Released 15-Oct-2024)

Enhanced Application Discovery Search field

We've enhanced the search field in Application Discovery. For both applications and microservices, you can now also search for resources types and resource labels as well as resource tags. (Released 15-Oct-2024)

Cloud App Analyzer Kubernetes Security Enhancements – AKS Integration

Cloud App Analyzer now supports Azure AKS Kubernetes Managed Service. Note that additional Azure role (Azure Kubernetes Service Cluster User Role) is required for permissions to perform a KSPM scan on the Kubernetes clusters. See Kubernetes Security Posture Management (KSPM) and Permissions Required for Azure Subscriptions. (Released 7-Oct-2024)

September 2024 Update

Export AWS risk details to a CSV file

AlgoSec Cloud now lets you export a snapshot of risks and risk trigger information for easy sharing with relevant stakeholders and further analysis. As part of this feature, self-referencing rules are now indicated in the Comments column of the exported file. For details, see Export risk and risk trigger details. (Released 10-September-2024)

Cloud App Analyzer Kubernetes Security Enhancements – EKS Integration

Cloud App Analyzer introduces comprehensive Kubernetes security monitoring, starting with AWS EKS. As Kubernetes environments become more complex, maintaining a secure posture while managing vulnerabilities and compliance violations is critical.

Key Features:

  • EKS Focus: Cloud App Analyzer now supports automatic onboarding of all Kubernetes clusters across AWS EKS, with plans for multi-cloud vendor support coming soon.

  • Auto-Discovery: Seamlessly discover all clusters within each of your AWS accounts across all regions.

  • Efficient Scanning: Each cluster undergoes an in-depth security scan by the Cloud App Analyzer KSPM scan engine. Scans take a few minutes per cluster, depending on configuration.

  • Continuous Monitoring: Cloud App Analyzer performs daily scans and continuously updates your Kubernetes security posture. Any changes, such as new clusters, deleted clusters, or new vulnerabilities, are automatically reflected, ensuring your environment remains secure and up-to-date.

By simplifying cluster management and vulnerability detection, Cloud App Analyzer helps you maintain strong security practices as your Kubernetes environment scales. See Kubernetes Security Posture Management (KSPM). (Released 11-Sep-2024)

August 2024 Update

New AlgoSec Cloud deployment locations for UAE and IND regions

We're excited to announce the addition of a new ACE deployment location for our valued users in the UAE and IND regions. ACE is now hosted on the following AWS availability zones:

  • IND: ap-south-1 (Mumbai)

  • UAE: me-central-1 (UAE)

  • ME: me-south-1 (Bahrain )

  • US: us-east-1 (N. Virginia)

  • EMEA: eu-central-1 (Frankfurt)

  • ANZ : ap-southeast-2 (Sydney)

See Logging in and out. (Released 5-August-2024)

Azure Support of Cloud App Analyzer Application Discovery

The Application Discovery feature has been enhanced to support Azure, expanding its capability beyond AWS. This advanced solution now identifies applications within both AWS and Azure environments, presenting a comprehensive graph of the applications' resource inter-dependencies. The graph details the application’s structure, highlights elements with security issues, and offers a visual view of complex relationships within the cloud environment. By pinpointing vulnerabilities within the application, this tool helps prioritize security issues based on their placement and impact, across both AWS and Azure platforms. See Cloud App Analyzer Application Discovery. (Released 28-Aug-2024)

New Cloud App Analyzer deployment locations for ME, UAE and IND regions

We're excited to announce the addition of a new Cloud App Analyzer deployment location for our valued users in the ME, UAE and IND regions. Cloud App Analyzer is now hosted on the following AWS availability zones:

  • ME: me-south-1 (Bahrain )

  • UAE: me-central-1 (UAE)

  • IND: ap-south-1 (Mumbai)

  • US: us-east-1 (N. Virginia)

  • EMEA: eu-central-1 (Frankfurt)

  • ANZ : ap-southeast-2 (Sydney)

See Logging in and out. (Released 5-August-2024

July 2024 Update

View risk triggers associated with virtual machines

Now you can easily identify all the risk triggers associated with a virtual machine in one convenient location, and then follow up to investigate the rule which is the root cause of the risk. For more details, see View risk triggers associated with a virtual machine. (Released 22-July-2024)

How to offboard cloud resources

We've updated the documentation to provide clear instruction on how you can offboard your AWS, Azure, and Google Cloud resources. For details see:

(Released 5-July-2024)

Kubernetes cluster risk insights

The new Kubernetes Security Dashboard to deliver insights into cluster misconfiguration, vulnerabilities and exposed secrets. Benefit from advanced visualizations and detailed analytical reports to effectively manage and mitigate security risks. See Kubernetes Security Posture Management (KSPM). (Released 30-July-2024)

Cloud App Analyzer System Roles

Cloud App Analyzer now supports three system roles more granular control over user permissions, ensuring that each user has access to only the necessary features based on their role. The Admin role has full access to all settings, resources, and sections; the Security Manager role has full access except for User Management; and the Auditor role has read-only access to specified features. See Manage User Roles. (Released 23-July-2024)

New Cloud App Analyzer deployment location for Europe, the Middle East, and Africa (EMEA) region

We're excited to announce the addition of a new Cloud App Analyzer deployment location for our valued users in the Europe, the Middle East, and Africa (EMEA) region. See Logging In and Out. (Released 2-July-2024)

June 2024 Update

CSV reports | See risk details for exported policy sets

When you export a policy CSV report, by default the report now includes the associated risks for each rule. (Released 25-June-2024)

Application Discovery Enhanced!

Our dependency graph now automatically identifies microservices within your applications. A microservice consists of an interconnected set of cloud resources that collectively perform a set of functions or service and works together with other microservices to form the larger application. See Cloud App Analyzer Application Discovery. (Released 23-June-2024)

Export your dashboard to PDF or CSV

Export your dashboard views to files in PDF or CSV format, for both single and multi-account views. This enables you to easily share the data with others or perform further analysis in a spreadsheet program. See Getting Around Cloud App Analyzer. (Released 21-June-2024)

May 2024 Update

Enhanced User Management with SSO Group Mapping!

Create groups of users based on their job roles, departments, or other criteria in your identity provider. Then In AlgoSec Cloud, you can associate these SSO groups to user roles and set their permissions. See SSO Group mapping and management. (Released 29-May-2024)

Rebranding Update: CloudFlow is now called AlgoSec Cloud

We're excited to share that CloudFlow has a new name – AlgoSec Cloud! This name change reflects our evolving brand identity, and is already aligned in our latest marketing initiatives.

Export Policy Report to CSV

Now you can download a detailed policy report that includes security network policies and their corresponding rules in a convenient CSV format. Perform in-depth analysis of your security landscape and share insights with relevant stakeholders. For more details, see Export policy set details to a CSV file. (Released 6-May-2024)

Introducing Application Discovery

Application discovery is an advanced solution designed to identify applications within customer environment and present a graph of the applications' resource inter-dependencies. This graph details the application’s structure and highlights elements with security issues, offering a view of the complex relationships within the cloud environment. By showing where vulnerabilities occur within the application, this visual tool helps prioritize security issues based on their placement and impact. See Cloud App Analyzer Application Discovery. (Released 21-May-2024)

View GCP AR CD mitigation scan history

The GAR CD Mitigation Scan History Page provides a provides a scan log of each deployment of an image in the AR . You can view a summary of all scan history or drill down for details of each GCP project. See Enable Threat Management on GCP AR. (Released 16-May-2024)

April 2024 Update

Azure Firewall | Network Zone Definitions

Now you can define network zones Internal, DMZ and External in the customized risk profile excel, improving risk assessments and risk accuracy. See Network Zone Definitions: Enhanced Risk Accuracy. (Released 11-April-2024)

ACE Notifications

Manage notifications about risk & policy changes and ASMS connectivity on the new Notifications page. You can set notifications to be sent via email and Microsoft Teams to selected users ensuring they receive only the notifications that are most relevant to them. For more details, see Configure CloudFlow Notifications. (Released 10-April-2024)

Custom Risk reports

Now you can customize a risk report by selecting specific risks to include, focusing only on the areas that matter most to you. We've also provided the option in the report to only show the number of affected assets without listing them all by name. For more details, see Export risk and risk trigger details. (Released 4-April-2024)

March 2024 Update

Risk detection date

For each risk, ACE now displays a detection date so you can quickly understand what risks were recently added to your environment and take immediate actions to fix them. (Released 26-March-2024)

  • The new Detected on column shows the date ACE first detected a risk trigger for a rule. For more details, see Risk triggers.

  • Filter risks by their detection date using the Detection date filter. Select a predefined or custom date range. For more details, see Search and filter risks.

New ACE deployment location for Middle East (ME) region

We're excited to announce the addition of a new ACE deployment location for our valued users in the Middle East region. ACE is now hosted on the following AWS availability zones:

  • ME: me-south-1 (Bahrain )

  • US: us-east-1 (N. Virginia)

  • EMEA: eu-central-1 (Frankfurt)

  • ANZ : ap-southeast-2 (Sydney).

See Logging in and out. (Released 19-March-2024)

See when accounts were onboarded to ACE

On the Onboarding page, you can now see the date when each account was successfully onboarded to ACE. (Accounts onboarded before this feature was introduced will show N/A.) For more details about the new Onboarding Date column, see -+6. (Released 12-March-2024)

See the date/time when data collection of onboarded accounts last completed successfully

ACE now makes it easy to see when the last successful data collection occurred. The column "Last Successful Update" on the Onboarding page shows the most recent date and time that data, necessary for calculating risks and other important information about your onboarded resources, was gathered. If an error occurred during the update process appears in the Status column. Hover over the status error icon to see details about the error as well as the last update attempt. For more details, see Onboarding Management. (Released 12-March-2024)

Filter risks according to virtual networks on the risk page

Now you can see which risks are associated with specified virtual networks. See Risk filters. (Released 12-March-2024)

Updated login URLs,

We have updated login URLs:

See Logging In and Out. (Released 06-March-2024)

February 2024 Update

Azure Firewall support for Last Used rule information and unused rules

ACE now supports Azure Firewall log data to track the last usage of firewall rules, allowing users to identify unused rules and generate reports on them. For details, see Filter displayed policy sets, Export risk trigger details, and Enable Azure flow logs. (Released 12-March-2024)

View Azure ACR CD mitigation scan history

The ECR CD Mitigation Scan History Page provides a provides a scan log of each deployment of an image in the CR . You can view a summary of all scan history or drill down for details of each Azure Subscription. See Enable Threat Management on Azure ACR. (Released 28-February-2024)

View Configuration and Compliance Risk Trends

We've enhanced the dashboard for single accounts of all CSP (Cloud Service Provider) types. This update features a high-level analytic risk trend graph. This graph displays both regressions and progress in resolving configuration and compliance issues for the account and can be filtered according to severity level and time frame. Additionally, the update introduces a summary of the latest cloud security assessment scan data for the selected cloud account.

These enhancements enable security administrators to gain a holistic view of the current security status and historical trends streamlining the process of identifying vulnerabilities and understanding security patterns over time.

See View Configuration and Compliance Risk Trends. (Released 19-February-2024)

January 2024 Update

Risks severity filter for Azure Firewall

We've added the Risks severity filter for Azure Firewall. This filter allows the display of only those policies in the list that contain rules with the selected severity level. See Filter displayed policy sets. (Released 29-January-2024)

Onboard Google Cloud resources from multiple organizations.

You can now onboard resources to ACE from multiple organizations in Google Cloud. To ensure a smooth onboarding process, make sure that project IDs should be unique across different organizations. For more details, see Onboard Google Cloud Projects to Cloud Network Security. (Released 29-January-2024)

New onboarding methods for Google Cloud, Azure and AWS

Four methods for onboarding Google Cloud and Azure resources are now available in the onboarding wizard. You can choose from With Script, No Script (ideal for environments that do not support scripts), API, or Terraform methods, via a drop-down menu. For AWS, there are now three available methods to choose from: With Script, API, or Terraform. For more details, see:

(Released 29-January-2024)

Improved dashboard to explore and identify Account and Virtual Network issues

The dashboard on the Accounts Summary tab now offers expanded functionality. When you select an account in the Account Summary tab, you can see all the virtual networks in the account and pinpoint the virtual networks that are at the root cause of network issues. You can also drill down into the virtual networks to explore further and gain a deeper understanding .

In the Account Summary page, we added two additional columns: Security policies and Cloud firewalls. These columns allow you to gauge the total number of security policies in each account. In addition, for Azure subscriptions you can review the number of Azure firewalls under each.

We also added summary pages for each virtual network.

For more details, see Review Account Status. (Released 17-January-2024)

Enhanced Networking Risk Management in Cloud App Analyzer

Introducing the AlgoSec Best Practices compliance standard: Cloud App Analyzer now enables you to deep dive into networking risks with advanced capabilities for identifying and analyzing networking misconfiguration, a feature that distinctly positions us ahead of competitors in the cloud security space. We've added a fourth compliance standard, AlgoSec Best Practices, specifically designed for network risk violations. This internally developed standard elevates our compliance and risk assessment to new heights, offering a more comprehensive analysis and improved adherence to compliance standards. See Manage Networking Risks in Cloud App Analyzer. (Released 17-January-2024)

December 2023 Update

Risk trigger indicators for individual Azure Firewall policies

ACE now delivers enhanced insights regarding the number of risk triggers detected in Azure Firewall policies. Besides showing the risk trigger totals for each policy, you can now see the breakdown of these numbers at the rule collection group and individual rule levels. Clicking on any of these indicators opens a popup with detailed information on the risk triggers. For more information, see View risks details at the policy level. (Released 26-December-2023)

View your Account ID

You can now easily access your Account ID directly fromACE. This is ideal if you're managing multiple accounts. It also simplifies the process of referencing an Account ID for support queries. To view and copy your account ID, just click on your username located at the top right corner of the screen to open the drop down. See View your Account (Tenant) ID. (Released 26-December-2023)

Export Azure Firewall Risk Report to PDF

Now you can export risk reports for Azure Firewalls in PDF format. The report contains detailed information about risks and risk triggers found on Azure Firewall devices based on the filters selected by the user requesting the report. See Export risk and risk trigger details. (Released 14-December-2023)

November 2023 Update

Onboarding Azure resources without scripts

We've updated the onboarding wizard to include an option to onboard Azure subscriptions, management groups, and tenant root groups without using scripts. This is useful if your environment does not support scripts. For more details, see Onboard Azure Subscriptions to Cloud Network Security. (Released 28-November-2023)

Status of onboarded assets

You can now see the status of your onboarded virtual machines and instances. Located in the Assets tab of the Overview page, the new Status column indicates whether or not the VM operating system and applications are running. See The Assets Tab. (Released 14-November-2023)

New columns on the Changes page: Account Name and Virtual Network

The Changes page now has two new columns, providing additional information for Azure and AWS about the changed security groups:

  • Account Name: The name of the subscription / account

  • VNet / VPC: The virtual network where the change was detected

For more information, see Changed Security Groups list. (Released 2-November-2023)

Goodbye ACE Home page

To streamline yourACE experience, we've removed the Home page. (Released 2-November-2023)

View ECR CD mitigation scan history

The ECR CD Mitigation Scan History Page provides a provides a scan log of each deployment of an image in the ECR repository. You can view a summary of all scan history or drill down for details of each AWS account. See Enable Threat Management on AWS ECR . (Released 29-November-2023)

Manage threats in your CI/CD pipelines

Cloud App Analyzer's Mitigation Rules are integral to the GitHub CI and the AWS ECR CD pipelines. Mitigation rules assess container images for high-risk flags. Cloud App Analyzer static scans cover malware, vulnerabilities, and dynamic scans check behavior analysis (IPs, Domains, Countries, Open Ports).

Default Mitigation Rules, sourced from government and other public databases and updated daily, include artifact items with risk severity. You can set minimum risk levels for blocking pull requests (GitHub CI) and locking repositories (AWS ECR CD). For instance, a medium-risk IP won't block a pull request if the minimum risk is set to high. Conversely, with a medium risk-setting, the same IP would trigger a block. You can also create custom block- and allow-lists. See Threat Management. (Released 16-November-2023)

October 2023 Update

Export an Unused Rules Report to a CSV file

Now you can export an Unused Rules Report based on selected entities in the tree and filters (Vendor, Account, VNet/VPC, etc.), making it easy to share. See Export Policy Sets. (Released 11-October-2023)

New Cloud App Analyzer deployment location for ANZ region

We're excited to announce the addition of a new Cloud App Analyzer deployment location for our valued users in the Asia Pacific region. We are already in the process of onboarding the first customer located in Australia. Cloud App Analyzer is now hosted on the following AWS availability zones and next in line is the EMEA availability zone as well.

  • ANZ : ap-southeast-2 (Sydney).

  • US: us-east-1 (N. Virginia)

See Logging In and Out. (Released 26-October-2023)

Extended insights for Docker container scans

We've enhanced Cloud App Analyzer CI/CD Container Security by displaying the list of your open Pull Requests right in Cloud App Analyzer. The list provides a structured view of the scan details for each open pull request, to help quickly assess and manage your security findings. Also, you can now access a full report of Docker container scans, directly from the Scan Summary comments in GitHub or from within Cloud App Analyzer, in the Pull Requests list. See Cloud App Analyzer CI/CD Container Security. (Released 22-October-2023)

Manage Your AWS ECR Repositories

Now you can integrate Cloud App Analyzer with AWS to manage ECR repositories. Automatically detect when new images are pushed to your repositories. Modify the permissions of your repositories, giving you the ability to block any pull operation for the location where the image resides. See Enable Threat Management on AWS ECR . (Released 12-October-2023)

September 2023 Update

Get information to build your own account summary dashboard

ACE's new Get Account Summary Information API provides you with the data you need to build your own account summary dashboards, including information about risks and their severity, unused rules, risky assets, risks security rating, and trend. See Get account summary information API. (Released 27-September-2023)

Cloud App Analyzer CI/CD Container Security

Cloud App Analyzer CI/CD Container Security solution is an extensible security plugin platform that provides an automated scan for Docker containers. Cloud App Analyzer will build, simulate runtime, and scan the image statically and dynamically for security risks. This is integrated into the user's GitHub repository CI process. See Cloud App Analyzer CI/CD Container Security. (Released 19-September-2023)

August 2023 Update

Google Cloud Project auto onboarding

With the new Google Cloud Project auto onboarding process, ACE continually syncs with your Google Cloud Projects. Any subsequent changes such as adding or removing projects are automatically reflected in ACE. See Onboard Google Cloud resources using your preferred method. (Released 22-August-2023)

July 2023 Update

Accounts | New security rating and trend indicators

The Account Summary now includes a security rating, which shows the network security compliance level of the account. The trend indicator shows any changes in the security rating over time. See Review Account Status. (Released 31-July-2023)

Risks at the policy level

On the Network Policy page, now you can click the risk severity level indicators on policies to get a detailed list of all the risk triggers associated with the policy. See The Account Summary tab. (Released 31-July-2023)

Track User Activities

The new User Activity tab provides administrators with a convenient way to check users' adherence to established protocols and assists in the prevention and detection of fraudulent activities. Review key information such as who initiated an activity and when. For more details, see Track User Activities (Released 19-July-2023)

View Google Cloud Project unused rules

Now on the Overview page, for each project you can see the number of Google Cloud Project rules not being used. This information can assist in cleaning the policies and reducing the attack surface. Click on the number to open the Network Policies page and get the unused rules report. See Review Account Status. (Released 4-July-2023)

June 2023 Update

Identify public-facing assets with risks

We've made it easier for you to spot potential issues with your assets. On the Account Summary tab, you'll now see the Risky Assets column which shows you how many of your assets with public IPs have critical or high risks. It's a quick way to identify what risks you should handle first. For more details, see The Account Summary tab. (Released 20-June-2023)

See the number of risk triggers per asset

Now on the Overview page's Assets tab, you can see the number of risk triggers associated with each asset. This allows you to quickly understand each asset's risk exposure and then take corrective steps. For more details, see The Assets tab. (Released 14-June-2023)

Affected Assets for Hierarchical (Inherited) Policies

ACE now displays affected assets for detected risks on all rules, including hierarchical (inherited) rules. See View rule risks & affected assets. (Released 5-June-2023)

Azure auto onboarding

With the new Azure onboarding process, ACE continually syncs with your Azure subscriptions. Any subsequent changes such as adding or removing subscriptions are automatically reflected in ACE. See Onboard Azure resources using your preferred method:. (Released 5-June-2023)

Status error details

ACE now provides admins with a detailed explanation of account data collection failure. To learn more, see Access the ONBOARDING MANAGEMENT page. (Released 5-June-2023)

May 2023 Update

Azure Firewall risk information

Now on the ACE Risks page, you can view Azure Firewall (Managed with Policies) risk information and see recommended remediation. For more info see Work with Risks. (Released 23-May-2023)

Asset IP address

The Assets tab has a new column, Address, which displays the public and private IP address of the asset. For more info, see The Assets tab. (Released 11-May-2023)

April 2023 Update

Google Cloud Project Policy Cleanup

ACE now tracks rule usage for onboarded Google Cloud Project so you can indentify unused rules for both hierarchical (inherited) rules and firewall policy rules. For more info, see Clean Up Policies. (Released 10-April-2023)

Important: Existing customers will need to add the permission Onboard Google Cloud Projects to Cloud Network Security in Google Cloud Project.

March 2023 Update

Manage risk profiles in ACE

In the new Risk Profile page, you can manage which risk profile ACE uses to calculate risks to your onboarded accounts and assets. For more details, see Manage Risk Profiles. (Released 22-March-2023)

Account Summary tab: Get a comprehensive view of your accounts

The renamed Overview page (previously known as Inventory) gives you a comprehensive view of your network resources. The Account Summary tab, gives you a detailed summary of all onboarded accounts, including potential risk indicators based on the activated risk profile. For more details, see Overview page tabs (Released 16-March-2023)

See all rules protecting the Google Cloud Project VPC in one place

Now you can see all the rules protecting the Google Cloud Project VPC in one place in the Network Policies tab. View VPC firewall rules and the hierarchical (inherited) rules used by that firewall. Hierarchical (inherited) rules are located above the VPC firewall rules and are distinguished by grey rows. For more details see Flattened Hierarchical View of Google Cloud Policies. (Released 1-March-2023)

February 2023 Update

AWS auto onboarding

We've revamped the AWS onboarding process. During onboarding, ACE connects with your AWS StackSets and automatically syncs all accounts (Stacks) at once. Any subsequent changes made to StackSets in AWS such as addition or removal of accounts are automatically reflected in ACE. See Onboard AWS Accounts to Cloud Network Security. (Released 14-February-2023)

AWS and Azure Changes History

The new Changes page in ACE gives details on rule changes made on your on-boarded AWS accounts and Azure subscriptions. We will be rolling out this feature to our customers in phases during Q1 and Q2 2023, so if you still don't see it, you will soon! See View Changes History. (First released 19-November-2022)

January 2023 Update

Onboarding Management

In ACE Settings, we've renamed the Accounts page to Onboarding Management and given it a UI facelift. For more details see Manage Onboarded Accounts. (Released 27-January-2023)

Official support for OKTA for SSO

AlgoSec Algosec SaaS applications now officially support OKTA as an SSO provider. See Manage Single Sign-On (SSO). (Released 27-January-2023)

IaC (Infrastructure-as-Code) Connectivity Risk Analysis

AlgoSec’s IaC Connectivity Risk Analysis solution is an extensible security plug in platform that checks code for potential vulnerabilities before any commits are made to a repository. Using it, you can accelerate application delivery taking a proactive, preventive, and collaborative approach within your CI/CD pipeline. Developers have clear visibility into risks right in the source control applications and are given clear remediation steps without a need to move to different applications or wait for security admin to manually review and approve that the code is risk free. See IaC Connectivity Risk Analysis. (Released 1-January-2023)

November 2022 Update

Azure Firewall policies

Important: Make sure you update your Azure permissions.

ACE now shows information about your Azure Firewall (Managed with Policies) and its network, application, and NAT rules. See Filter displayed policy sets. (Released 28-November-2022).

Vendor-specific filters

We've added new filters to the Network Policies page. Each vendor has its own unique set of filters which you can use to refine the policy sets displayed. See Vendor-specific filters. (Released 9-November-2022)

October 2022 Update

Documentation Enhancement: Azure, AWS, Google Cloud Project required permissions

You asked for it, we delivered. We’ve added a list of permissions for Azure, AWS, and Google Cloud Project. Have a look here: Azure, AWS, and Google Cloud Project. (Released 24-October-2022)

Google Cloud Project Inherited Policies Visibility and Risks

Important: Make sure you update your Google Cloud Project permissions.

ACE now displays Google Cloud Project Inherited policies:

  • On the Network Policies page, you can view details such as the folder where the inherited policy is defined, its calculated risks, and which target networks use the inherited policies.

  • On the Risks page, there is a new column indicating the risks found in rules in inherited policies.

(Released 24-October-2022)

August 2022 Update

Single Sign-On (SSO)

You can now log in to ACE SSO-enabled tenants with a single click. To set up SSO on a tenant, see Manage Single Sign-On (SSO). (Released 22-August-2022)

View protected VMs

The new Protected by column on the ASSETS tab of the Inventory page helps you to understand the protection each of your VMs has and to identify unprotected assets. See Review Account Status. (Released 10-August-2022)

July 2022 Update

Network policies tree

ACE's Network Policies page added a tree structure so you can quickly navigate between cloud vendors and drill down into individual VPCs/VNets. See Manage Network Policy Sets. (Released 18-July-2022)

Risk severity filter

The new Severity filter allows you to also filter risks by risk severity. (Released 14-July-2022)

Using tags in ACE

We’ve added a new topic explaining how to work with tags in ACE. On the Risks page, filtering based on tags can focus your risk analysis and remediation specifically on the risks identified by the selected tags. A common use case for tags is to identify all assets related to applications. See Work with Tags. (Released 6-July-2022)

Minimum permissions for roles that are not Azure-built-in roles

We've added a new section detailing minimum permissions for roles that are not Azure built in roles. See Onboard Azure Subscriptions to Cloud Network Security. (Released 6-June-2022)

June 2022 Update

Calculate risks from ACE

When the connection with ACE is established, ACE by default automatically starts to collect risks from the ACE Standard Risk Profile. You can also use a custom profile instead of the ACE Standard Risk Profile. See Calculate risks. (Released 6-June-2022)

Cloud secure communication over HTTP tunnel connection from ACE in A32.10

Starting from the June 6 HF of ASMS A32.10 (build A32.10.380-180), AlgoSec Cloud secure communication takes place over TLS, which by ACE default is transported over an HTTP tunnel. The traffic that is encapsulated is encrypted with the Public Key certificate mechanism. The HTTP tunnel can run with or without a customer proxy server. See ACE-AlgoSec SaaS trust and communication. (Released 6-June-2022)

Cross account flow logs for S3 bucket

You now can create cross account flow logs for your S3 (Simple Storage Service) bucket in AWS. See Enable VPC flow logging for S3. (Released 13 June-2022)

Additional rule information in Risks Reports

To better understand detected risks in the Risks Reports, we now display rule information. (Released 21-June-2022)

May 2022 Update

Cloud secure communication over HTTP tunnel connection from ACE in A32.20

New to ASMS A32.20, ACE-AlgoSec Cloud secure communication takes place over TLS, which by ACE default is transported over an HTTP tunnel. The traffic that is encapsulated is encrypted with the Public Key certificate mechanism. The HTTP tunnel can run with or without a customer proxy server. See ACE-AlgoSec SaaS trust and communication. (Released 2-May-2022)

April 2022 Update

Custom Roles or System Roles can be assigned to users

Custom roles define accounts as managed, read-only or with no permission for the users to which these roles are assigned. This lets administrators control which accounts users can see or manage. Like system roles, multiple custom roles can be applied to one user. However custom roles and system roles cannot be applied to the same user. See Custom Roles (Released 22-Apr-2022)

March 2022 Update

Risks now shown for Policy Sets

The total number of policy set risks and risks per rule of each severity level are displayed for policy sets listed in the Network Policy tab. (Released 14-Mar-2022)

Google Cloud Project Network Risks Support

Google Cloud Project Risks are now displayed on the ACE Risks page, providing complete visibility and access to risks across all your on-boarded Google Cloud Project accounts. See Work with Risks. (Released 7-Mar-2022)

Updated AlgoSec Cloud Services Security Practices

We've added new information. See AlgoSec SaaS Services Security Practices (Released 1-Mar-2022)

February 2022 Update

List of minimum required Azure Permissions

This list of limited permissions will simplify onboarding Azure subscriptions. See Onboard Azure Subscriptions to Cloud Network Security (Released 17-Feb-2022)

January 2022 Update

Third-party software components

A list of third-party software components used in AlgoSec cloud applications is now available on the portal Documentation Resources page (under AlgoSec Cloud Documentation). (Released 6-Jan-2022)

December 2021 Update

Reset Password from the ACE Access Management UI

A ACE Admin can reset a user's password. See Reset Password. (Released 22-Nov-2021)

Create a Risks Report

All ACE users can create Risks Reports. Risks Report presents a snapshot of risks and risk triggers found at a specific time based on the filters selected by the user requesting the report. See Export risk and risk trigger details and Work with Risks. (Released 27-Dec-2021)

October 2021 Update

ACE's October 2021 update provides the following new features:

Manage API Access Keys from the ACE Access Management UI

ACEsupports managing access keys for use with AlgoSec APIs. See Manage API Access Keys. (Released 18-Oct-2021)

Support for running Admin and Risks APIs from the API Documentation

To access the ACE APIs, click on this link: api-docs.algosec.com or the link:  at the top of the ACE online documentation landing page. (Released 18-Oct-2021)

August 2021 Update

ACE's August 2021 update provides the following new feature:

Role-based Access Management

ACE now supports three built-in user roles. For details, see Manage User Roles. (Released 11-Aug-2021)

Risk Triggers Report

For a selected risk, export the details of the associated risk triggers. For details, see Export risk and risk trigger details. (Released 11-Aug-2021)

June 2021 Update

ACE's June 2021 update provides the following new feature and bug fixes:

Initial Support for Google Cloud

ACEnow supports Google Cloud in preview mode - Onboarding Google Cloud Projects and Inventory. For details, see Onboard Google Cloud Projects to Cloud Network Security. (Released 21-Jun-2021)

Bug Fixes

  • AWS accounts data collection status is displayed as “Failure” when one or more regions in the target account are disabled. ACE now skips disabled regions. (SUP-14932, 9-Jun-2021)

  • The network policies interface may be unusable when the system is onboarded with a large number of cloud accounts. The relevant DB queries have been enhanced and the underlying infrastructure was scaled-up to accommodate for large accounts. (SUP-14896, 31-May-2021)

  • The network policies interface may be unusable when the system is onboarded with a large number of cloud accounts. The relevant DB queries have been enhanced to accommodate for large accounts. (SUP-14519, 1-May-2021)

April 2021 Update

ACE's April 2021 update provides the following improvement:

Multi-factor Authentication (MFA) enforcement option

ACE now provides the option of setting Multi-factor Authentication (MFA) enforcement for secure user login. For details see Logging In and Out and Manage Users. (Released 12-Apr-2021)

March 2021 Update

ACE's March 2021 update provides the following improvement:

Tag filtering

In addition to the ability to filter risks for cloud types, accounts and regions, you can now focus your risk analysis and remediation on specific categories of risks identified by tags (key/value combinations) applied to the cloud platform assets.

Customers can leverage this capability to focus on analyzing and remediating risks related to specific applications. For example, the tag filter App: eCommerce can be used to review all the risks related to the eCommerce application. See Work with Risks (Released 15-Mar-2021)

February 2021 update

ACE's February 2021 update provides the following improvement:

Risk Filters

Easily focus on your risks and risk triggers of interest using the Cloud type, Account and Region filters at the top of the Risks page. Each of these optional filters can accommodate multiple values. You can quickly shorten the list of available filter values by typing in the filter field. See Risk filters (Released 9-Feb-2021)

 

January 2021 update

ACE's January 2021 update provides the following improvement:

Risks Page Redesign

The risks page has been redesigned to provide a better and easier user experience. The complete list of risks and all details for the selected risk, including all risk trigger details, are accessible from one page. This avoids generation of multiple tabs and the need for browsing between those tabs. For details see Work with Risks (Released 4-Jan-2021)

December 2020 update

ACE's December 2020 update provides the following new features and bug fix:

ACE ASMS Integration

You are now able to establish trust between ACE and ASMS. This integration allows hybrid functionality such as Check connectivity over the hybrid network. For details about establishing this trust, see AlgoSec Cloud Enterprise - ASMS Integration. (Released 28-Dec-2020)

Check Connectivity for the Hybrid Network

You are now able to run a connectivity check (traffic simulation query) on an Azure NSG rule to observe how traffic is routed and whether it is allowed across your entire hybrid network (i.e. across NSGs, firewalls routers etc., deployed on cloud and/or on-prem). For details see Check connectivity for the hybrid network (Released 28-Dec-2020)

Bug Fix

Data collection failure for Azure subscriptions having a large number of storage accounts. Excessive data collection requests resulted in Azure API rate limiting. Relevant API call has been enhanced to collect the same data in fewer requests. (SUP-12908, 7-December-2020, SUP-13120, 28-December-2020)

Note: Although this seems identical to the release note (regarding SUP-11388 and SUP-12111) below, the customer Azure setup in each case was different and the solutions are different.

November 2020 update

ACE's November 2020 update provides the following new and improved features:

AWS VPC Flow Logs Collection from CloudWatch

ACE is now able to collect AWS VPC Flow Logs from CloudWatch (in addition to the existing ability to do the same from S3 buckets).

This provides better flexibility for customers that wish to enjoy ACE rule cleanup and rule usage capabilities with logs stored on CloudWatch.

For more details, refer to VPC Flow Logs. (Released 16-Nov-2020)

Suppressing risks and risk triggers

Risks and risk triggers can now be suppressed (i.e. acknowledged) to ensure a shorter risks list and avoid reviewing risks and risk triggers you trust and consider as “noise”.

For more details, refer to Suppress/Activate risks and risk triggers. (Released 9-Nov-2020)

Access Management

New individual admin users can now be added and managed from the ACE interface. For more details, refer to Manage Users. (Released 2-Nov-2020)

October 2020 update

ACE's October 2020 update provides the following issue resolution:

Resolved/Optimized:

Data collection failure for Azure subscriptions having a large number of storage accounts. Excessive data collection requests resulted in Azure API rate limiting. The relevant API call has been enhanced to collect the same data in fewer requests. (SUP-12111, 5-Oct-2020)

Note: Although this seems identical to the release note (regarding SUP-11388, 14-Sep-2020) below, the customer Azure setup in each case was different and the solutions are different.

September 2020 updates

ACE's September 2020 update includes several resolved issues:

Resolved:

  • Rule usage was not shown for AWS Security Groups policy rules when VPC Flow Logs were sent for both CloudWatch and S3. (CloudWatch is not supported by ACE). Now, the sending of CloudWatch VPC Flow Logs does not negatively affect the ACE rule usage display, which is based on S3 log data. (SUP-11782, 14-Sep-2020)
  • For large AWS accounts with a large number of Security Groups, not all the security groups were displayed on the AWS SGs network policies interface. (CS-2980, 14-Sep-2020)
  • When using the Azure subscription PowerShell setup script, the "Contributor" role may be assigned to a different subscription from the one the user selected.
    Note: The issue originates from a recent change Azure did in the relevant API.(CS-2969, 14-Sep-2020)

Resolved/Optimized:

  • Data collection failure for Azure subscriptions having a large number of storage accounts. Excessive data collection requests resulted in Azure API rate limiting. The relevant API call has been enhanced to collect the same data in fewer requests. (SUP-11388, 14-Sep-2020)

July 2020 updates

ACE's July 2020 update provides the following enhancements and bug fix:

Improved Azure risk triggers/affected assets calculations

Azure NSG risk triggers and affected assets calculations have been improved. For details, see Work with Risks.

New option facilitates NSG flow logs collection permissions

An option has been added in the Azure subscription PowerShell setup script. The option assigns roles required for NSG flow logs collection.

Azure Scale Sets support

ACE now collects Azure Virtual Machine Scale Sets configurations.

The VM parts of Scale Set data are

  • displayed as VM records in the Inventory section
  • taken into consideration in risk calculation, and
  • displayed as affected assets in the Risk interface.

Bug fix

The flickering of Inventory Asset and Security Control lists in high-magnitude zoom or on large screens has been eliminated.

June 2020 updates

ACE's June 2020 update provides the following enhancements:

New login screen

A new login screen has been introduced, allowing the user to submit all the login credentials in one screen.

During first-time login, Admin users can now provide their email. This enables them to reset their password at any time, using the Forgot Password button.

AWS SG rules cleanup support

Cloud security groups are constantly adjusted, and can bloat rapidly. This makes cloud security groups difficult to maintain, and increases potential risk.

When viewing AWS SG policy sets, ACE now provides a Cleanup view that enables you to show unused rules only.

For example:

Use this Cleanup view when optimizing your network policies by removing rules that may no longer be required because they are no longer in use.

For more details, see Clean Up Policies.

Note: To view last used data for AWS SGs, you must have flow logs enabled for each relevant SG. For more details, see Enable AWS VPC flow logging.

Unused rules on-the-fly analysis time modification

In the both the AWS SGs policies page and the Azure NSGs policies page, the analysis time criteria for unused rules can be changed on-the-fly. A rule's last-used column shows the last-used date or "no traffic logged".

Note: This requires flow logging to be enabled for the relevant AWS VPCs and/or the relevant Azure NSGs.

ICMP support for Azure NSG rules

The ICMP protocol is now supported for Azure NSG rules.

As of June 2020 Azure does not enforce ICMP sub-types (even if the user configured a source or destination port along the ICMP protocol.)

Policy rule count

Policy rule counts are displayed on policy pages. They indicate the number of rules per policy or group of policies, or the number of rules filtered or searched (i.e. all, unused, and filtered by search criteria).

April 2020 updates

ACE's April 2020 update provides the following enhancements:

Enhanced central policy management

ACE's NETWORK POLICIES area has been redesigned to provide a smoother flow for viewing and editing your network policies.

Main user interface updates include the following:

  • Policy tree and unified policy management

    The NETWORK POLICY tree now displays only AWS SG policies, Azure NSG policies, and Azure Firewall (classic). Click an item to view and manage all policy sets for the selected type on a single page.

    For example:

    On the page for each type, ACE displays both policies with only one security control, such as a single AWS Security Group, and policy sets with multiple, similar, security controls.

  • All security controls are automatically part of a policy set

    Each individual security control is now assigned to a default policy set. Search for similar security controls to merge them as needed.

    For example:

    Note: Since each policy now has a default policy set, you no longer need to create a new policy set from scratch. Instead, merge similar policy sets to create a new, central policy set.

For more details and updated instructions for viewing, editing, merging, and dissolving policy sets, see Merge policy sets.

Azure NSG rule cleanup

Cloud security groups are constantly adjusted, and can bloat rapidly. This makes cloud security groups difficult to maintain, and increases potential risk.

When viewing Azure NSG policy sets, ACE now provides a Cleanup view that enables you to show unused rules only.

For example:

Use this Cleanup view when optimizing your network policies by removing rules that may no longer be required because they are no longer in use.

For more details, see Clean Up Policies.

Note: To view last used data for Azure NSGs, you must have flow logs enabled for each relevant NSG. For more details, see Enable Azure flow logs.

March 2020 updates

ACE's March 2020 update provides the following updates:

Last used rule data for Azure NSG risks

ACE now enables you to view the last date a specific rule was used on the risk triggers details page, for Azure NSGs. This data is based on your NSG flow logs, and helps you to clean up your NSG network policies by identifying rules that have little or no use.

We recommend removing rules that are not in use to keep your policies clean and simple.

The last used column displays one of the following values:

  • A date, which is the last date that a rule was used, or triggered. ACE analyzes rule usage in the last 30 days only
  • No traffic logged, if the rule was not used at all during the last 30 days
  • Flow logs disabled, if flow logs are not enabled for the relevant NSG

In order to display rule usage data, you must enable flow logging for your NSG. You can do this for each NSG manually in the Azure console, or for multiple NSGs using a script provided by ACE.

ACE will automatically start to collect flow log data for any NSG with flow logging enabled, even if it was added to ACE at an earlier time.

Tip: We recommend that you enable flow logs whenever provisioning a new NSG on your subscription, and even configuring your system to automatically enable flow logs when provisioning a new NSG.

For more details, see Enable Azure flow logs.

Azure NSG risk enhancements

ACE's risk analysis now supports Azure NSG rules with Service tags or Application security groups (ASGs).

For more details, see Work with Risks.

Service tag support

In addition to detecting risks for Azure rules with Service tag values, ACE has specific risks for Service tag definitions.

For example, the following image shows a risk that is triggered for any Azure rule or NSG where the destination is selected as the ActiveDirectory service tag, and the destination port is any:

ASG support

ACE detects network risks for rules consisting of Azure ASGs by identifying the ASG network content and calculating risks accordingly.

January 2020 updates

ACE's January 2020 update provides the following updates:

Azure NSG network risks

ACE now supports risks detected in Azure NSGs.

For example, in the ACE RISKS area, view both AWS SG and Azure NSG risks and their full details.

For more details, see Work with Risks and Onboard Azure Subscriptions to Cloud Network Security.

Streamlined risk trigger remediation

Risk trigger details pages now also include hyperlinks directly to the relevant policy set for each trigger item.

Click a link in the Evidence column to jump to the relevant policy.

A new tab is opened to display the policy set. There, the relevant rule is highlighted and you can edit the policy to make any changes needed.

For example, modify or remove the offending rule to avoid allowing risky traffic.

For more details, see View risks and risk details and Policy set details.

Earlier updates

Click through the following to read ACE's release notes from earlier releases:

 

â See also: