CloudPassage Overview
-
Upload
cloudpassage -
Category
Technology
-
view
861 -
download
0
Transcript of CloudPassage Overview
© 2012 CloudPassage Inc.
CloudPassage Halo®
SaaS-delivered security and compliance automation for
public, private and hybrid cloud servers
Dynamic CloudFirewall Automation
Multi-Factor Authentication
Server Account Management
Server SecurityEvents & Alerting
Server Vulnerability Scanning
System Integrity Monitoring & IDS
Eliminates barriers to cloud adoption Enables cloud hosting & IaaS compliance Puts customers in control of security
© 2012 CloudPassage Inc.
Our Investors
CloudPassage Snapshot
• Production users since July 2010
• Publicly accessible since Jan 2011
• Commercial release Oct 2011
Halo® Security Offering
Early Adoption• Hundreds of active deployments• 5000+ servers secured• Millions of scans completed
Company Background• Founded January 2010• 34 employees & FTEs• $21m in venture funding
Recent Awards
© 2012 CloudPassage Inc.
What’s So Different?private datacenter
public cloud
www-1 www-2 www-3
• Servers used to be highly isolated– Bad guys clearly on the outside– Layers of perimeter security– Poor configurations were
tolerable
• Cloud servers more exposed– Outside of perimeter protections– Little network control or visibility– No idea who’s next door
• Sprawling, multiplying exposures– Rapidly growing attack surface
area– More servers = more
vulnerabilities– More servers ≠ more people
• Fraudsters target cloud servers– Softer targets to penetrate– No perimeter defenses to thwart– Elasticity = more botnet to sell
www-7
www-4
www-8
www-5
www-9
www-6
www-10
© 2012 CloudPassage Inc.
Cloud Security: A Shared Responsibility
Physical Facilities
Hypervisor
Compute & Storage
Shared Network
Virtual Machine
Data
App Code
App Framework
Operating System
Cu
sto
mer
Resp
on
sib
ilityP
rovid
er
Resp
on
sib
ility
“…the customer should assume responsibility and management of, but not limited to, the guest operating system and associated application software...”
“it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of host based firewalls, host based intrusion detection/prevention, encryption and key management.”
Amazon Web Services: Overview of Security Processes
AWS Shared Responsibility Model
© 2012 CloudPassage Inc.
www-10
Hybrid Cloud Dangers
Private / Hybrid Cloud
www-4 www-5 www-6
Public Cloud Provider
www-7 www-8 www-9
Legacy Datacenter
www-1 www-2 www-3 www-4
www-7
www-7
1
3
2
Attacker compromises public cloud instance
Root-kitted instance moved back to private cloud
Attacker now has access to private cloud and internal datacenter environment
1
2
3
© 2012 CloudPassage Inc.
Why Existing Solutions Fail• Dramatically different network models
– Big, flat, little to no physical segmentation– Virtual network backplanes complicate security– Reduced or no control over addressing, topology, hardware
• Self-service provisioning– Little to no review, change control vanishes– Automation of compliance is absolutely critical– “Customers” may not understand security
• Hybrid cloud environments– Development or temporary workloads into public clouds– Bringing cloud-hosted servers back into the enterprise– Multiple security tools & models
© 2012 CloudPassage Inc.
Security Products Must Adapt
Cloud Provider A
www-4 www-5 www-6 Cloud Provider B
www-7 www-8 www-9 www-10
Private Datacenter
www-1 www-2 www-3
Temporary & Elastic Deployments
Multiple CloudEnvironments
Metered Utility Usage
© 2012 CloudPassage Inc.
Dynamic network access control
Configuration and package security
Server account visibility & control
Server compromise & intrusion alerting
Server forensics and security analytics
Integration & automation capabilities
Servers in hybrid and public clouds must be self-defending with highly automated controls like…
How To Secure Cloud Servers
© 2012 CloudPassage Inc.
Introducing CloudPassage Halo®
SaaS-delivered security and compliance automation for
public, private and hybrid cloud servers
Dynamic CloudFirewall Automation
Multi-Factor Authentication
Server Account Management
Server SecurityEvents & Alerting
Server Vulnerability Scanning
System Integrity Monitoring & IDS
Eliminates barriers to cloud adoption Enables cloud hosting & IaaS compliance Puts customers in control of security
© 2012 CloudPassage Inc.
The Architectural Challenges
• Inconsistent Control (you don’t own everything)– The only thing you can count on is guest VM ownership
• Elasticity (not all servers are steady-state)– Cloud-bursting, stale servers, dynamic provisioning
• Scalability (highly variable server counts)– May have one dev server or 1,000 production web
servers
• Portability (same controls work anywhere)– Nobody wants multiple tools or IaaS provider lock-in
© 2012 CloudPassage Inc.
Halo’s Architectural Goals• Broad security capabilities at the guest VM
level– Better security by deploying where there’s broader
control– Server-level security scales in lockstep with servers– Security moves in real-time along with servers
• Built from the ground up so we could…– Make it perform well (don’t crush my server)– Make it truly portable (one pane of glass, please)– Make it easily repeatable (automate everything)
• Do it all at cloud-scale and cloud-speed
© 2012 CloudPassage Inc.
How It Works
Halo
Halo Grid
• Halo Daemon– Ultra light-weight agent
– Installed on server images
– Automatically provisioned
• Halo Grid– Elastic compute grid
– Hosted by CloudPassage
– Does the heavy lifting for the Halo Daemons
Halo Daemon
www-1
www-1
© 2012 CloudPassage Inc.
www-1
ComputeGrid
UserPortal
https
REST API Gateway
https
Clo
udPa
ssag
e
Halo
Halo Daemon
Policies,Commands, Reports
www-1
Halo
Halo Daemons are installed on cloud server instances using CloudPassage-provided scripts or tools like Chef, Puppet or RightScale.
© 2012 CloudPassage Inc.
www-1
ComputeGrid
UserPortal
https
REST API Gateway
https
Clo
udPa
ssag
e
Halo
Policies,Commands, Reports
www-1
Halo
Policies & Command
s
The Halo Daemon retrieves security policies and commands from the Halo Grid.
Policy templates are provided and can be customized via Halo User Portal or Halo REST API.
© 2012 CloudPassage Inc.
www-1
ComputeGrid
UserPortal
https
REST API Gateway
https
Clo
udPa
ssag
e
Halo
Policies,Commands, Reports
www-1
Results & Updates
Halo
The Halo Daemon executes commands and applies policies, returning results and new server state & event data to the Halo Grid.
Some examples include server account data, configuration details, and network changes.
© 2012 CloudPassage Inc.
www-1
ComputeGrid
UserPortal
https
REST API Gateway
https
Clo
udPa
ssag
e
Halo
Policies,Commands, Reports
www-1
Halo
State and Event
Analysis
The Halo Grid analyzes data returned by the Halo Daemon and issues new commands to to server Daemons to update security controls.
The Halo Grid provides 95% or more of analytics compute power, preserving server resources and performance.
© 2012 CloudPassage Inc.
www-1
ComputeGrid
UserPortal
https
REST API Gateway
https
Clo
udPa
ssag
e
Halo
Policies,Commands, Reports
www-1
Halo
Users receive alerts, reports, and other data via email, the Halo Portal, and
the Halo REST API.
© 2012 CloudPassage Inc.
www-4
Halo
www-3www-1
Halo
ComputeGrid
UserPortal
https
REST API Gateway
https
Clo
udPa
ssag
e
Halo
Policies,Commands, Reports
www-1
Halo
Halo Daemons are automatically deployed to new servers created through cloud-bursting or server cloning.
This ensures that security is consistent by making it part of the cloud stack itself.
www-2
Halo
© 2012 CloudPassage Inc.
Halo Is Completely Portable
Single pane of glass across hosting models• Scales and bursts with dynamic cloud environments• Not dependant on chokepoints, static networks or fixed IPs• Agnostic to cloud provider, hypervisor or hardware
Public Cloud Hybrid Cloud
Private Cloud Traditional Hardware
© 2012 CloudPassage Inc.
Basic NetSec Pro
Firewall and Access Control
Dynamic Firewall Automation ✔ ✔ ✔
GhostPorts Multi-Factor Authentication ✔ ✔
Server Security, Integrity, and Intrusion Detection
Server Account Management ✔ ✔
Configuration Security Monitoring ✔
Software Vulnerability Assessment ✔
File Integrity Monitoring ✔
Integration, Management, Support
Web Management Portal ✔ ✔ ✔
RESTful API Access ✔ ✔ ✔
Halo Event Logging & Alerting ✔ ✔ ✔
Data Retention One day(FW events)
Two years(FW events)
Two years(All scans)
Technical Support Community Professional Professional
Servers Protected Up to 5 Unlimited Unlimited
Pricing per server (100 server/month subscription) FREE
3.5¢ per server-hour or
less
10¢ per server-hour
or less
Features and Pricing
© 2012 CloudPassage Inc.
Try Halo Pro - 5 Minute Setup
Register at cloudpassage.com
Configure security policies in Halo web
portal
Install daemons on cloud servers
Free for up to
5 servers!
© 2012 CloudPassage Inc.
Summary
Cloud deployments require a new approach to security
Halo is the only security platform purpose-built for the cloud
All you need to secure your cloud servers