Even after a decade of cloud computing, many organizations are still struggling over the issue of cloud security. The issue is especially acute when it comes to Infrastructure as a Service (IaaS). Developers love the aspects of the cloud that free them from limitations and delays — things like elastic compute capability, self-service and broad network access. On the other hand, network security teams have difficulty keeping pace with lots of servers that can come and go at the developers’ will.
The tools that security experts use in the data center don’t fit well in the cloud’s virtualized infrastructure. The traditional tools were built with some kind of perimeter and segmentation in mind, and that simply doesn’t apply when your servers can come and go with the ebb and flow of your application needs.
For example, a few weeks ago I wrote about an identity and access management system for the public schools of the state of North Carolina. As hundreds of thousands of students login to their online accounts at about the same time each day, the cloud infrastructure fires up new servers on the fly to handle the massive influx of users that need to be authenticated. Once that’s done, typically within an hour’s time, many of those servers are released until they are needed the next day.
Even if those extra servers are only in use for an hour a day, the security experts would still like to know they are protected with common security measures like firewall rules, configuration monitoring, file integrity monitoring, privileged access management, and so on. The question is how to apply those measures without holding back the speedy creation/deletion of the virtual servers?
CloudPassage fills this need with a security automation platform called Halo. The platform was purpose-built to automate security and compliance in any public, private, or hybrid cloud environment. It was designed to operate in a hands-off manner and borrows a paradigm from botnets. That is, it operates by putting a very tiny, unintelligent agent on the virtual servers. The agent may be dumb but it’s very good at following orders — like a bot. A CloudPassage analytics engine tells the agent what to do. This communication method is quite resilient and ultraportable; there is no virtualized environment that it cannot run in.
CloudPassage is able to automate various security functions on the virtual servers through its analytics engine. For example, to deploy a firewall to a virtual server, you start by building a logical security policy that is like any dynamic policy you build in any modern next-generation firewall or appliance. You apply these policies to groups of servers and the analytics engine works out the actual specific pinhole policy sets you need to put down. You end up with firewall policies that support dynamic objects, not just static entries. CloudPassage provides the intelligence to commoditize a firewall on the backend.
The Halo platform also provides configuration monitoring and file integrity monitoring, which are important elements of compliance for HIPAA and other regulations. CloudPassage can tell you the state of the system so you know if something has drifted from compliance or is missing a setting. For files, the security platform can tell if, say, technical binaries or encrypted data change during operations when they shouldn’t have.
Halo provides privileged access management, multifactor authentication, software vulnerability scanning, log-based IDS, and more. The vendor is apparently able to layer on commoditized security functions because the underlying security automation platform has been designed generically enough so that it’s easy to give more tasks to the agent to perform. Halo is said to be able to constantly monitor the security and compliance of your dynamic cloud-server fleet. This should make network security managers happy while also giving the development operations people the flexibility and freedom they need to get their jobs done quickly.
The Halo platform is a SaaS solution. CloudPassage bills the same way that Amazon, Rackspace and Google Compute do — by charging an hourly rate for the agent. It’s one more way that CloudPassage acts in a way that is native to the cloud.
Linda Musthaler is a Principal Analyst with Essential Solutions Corp., which researches the practical value of information technology and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.