cloudpassage overview

© 2012 CloudPassage Inc.

CloudPassage Overview


CloudPassage Halo®

SaaS-delivered security and compliance automation for

public, private and hybrid cloud servers

Dynamic CloudFirewall Automation

Multi-Factor Authentication

Server Account Management

Server SecurityEvents & Alerting

Server Vulnerability Scanning

System Integrity Monitoring & IDS

Eliminates barriers to cloud adoption Enables cloud hosting & IaaS compliance Puts customers in control of security


Our Investors

CloudPassage Snapshot

• Production users since July 2010

• Publicly accessible since Jan 2011

• Commercial release Oct 2011

Halo® Security Offering

Early Adoption• Hundreds of active deployments• 5000+ servers secured• Millions of scans completed

Company Background• Founded January 2010• 34 employees & FTEs• $21m in venture funding

Recent Awards


What’s So Different?private datacenter

public cloud

www-1 www-2 www-3

• Servers used to be highly isolated– Bad guys clearly on the outside– Layers of perimeter security– Poor configurations were

tolerable

• Cloud servers more exposed– Outside of perimeter protections– Little network control or visibility– No idea who’s next door

• Sprawling, multiplying exposures– Rapidly growing attack surface

area– More servers = more

vulnerabilities– More servers ≠ more people

• Fraudsters target cloud servers– Softer targets to penetrate– No perimeter defenses to thwart– Elasticity = more botnet to sell

www-7

www-4

www-8

www-5

www-9

www-6

www-10


Cloud Security: A Shared Responsibility

Physical Facilities

Hypervisor

Compute & Storage

Shared Network

Virtual Machine

Data

App Code

App Framework

Operating System

Cu

sto

mer

Resp

on

sib

ilityP

rovid

er

Resp

on

sib

ility

“…the customer should assume responsibility and management of, but not limited to, the guest operating system and associated application software...”

“it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of host based firewalls, host based intrusion detection/prevention, encryption and key management.”

Amazon Web Services: Overview of Security Processes

AWS Shared Responsibility Model


www-10

Hybrid Cloud Dangers

Private / Hybrid Cloud

www-4 www-5 www-6

Public Cloud Provider

www-7 www-8 www-9

Legacy Datacenter

www-1 www-2 www-3 www-4

www-7

www-7

1

3

2

Attacker compromises public cloud instance

Root-kitted instance moved back to private cloud

Attacker now has access to private cloud and internal datacenter environment

1

2

3


Why Existing Solutions Fail• Dramatically different network models

– Big, flat, little to no physical segmentation– Virtual network backplanes complicate security– Reduced or no control over addressing, topology, hardware

• Self-service provisioning– Little to no review, change control vanishes– Automation of compliance is absolutely critical– “Customers” may not understand security

• Hybrid cloud environments– Development or temporary workloads into public clouds– Bringing cloud-hosted servers back into the enterprise– Multiple security tools & models


Security Products Must Adapt

Cloud Provider A

www-4 www-5 www-6 Cloud Provider B

www-7 www-8 www-9 www-10

Private Datacenter

www-1 www-2 www-3

Temporary & Elastic Deployments

Multiple CloudEnvironments

Metered Utility Usage


CloudPassage Architecture


Dynamic network access control

Configuration and package security

Server account visibility & control

Server compromise & intrusion alerting

Server forensics and security analytics

Integration & automation capabilities

Servers in hybrid and public clouds must be self-defending with highly automated controls like…

How To Secure Cloud Servers


Introducing CloudPassage Halo®

SaaS-delivered security and compliance automation for

public, private and hybrid cloud servers

Dynamic CloudFirewall Automation

Multi-Factor Authentication

Server Account Management

Server SecurityEvents & Alerting

Server Vulnerability Scanning

System Integrity Monitoring & IDS

Eliminates barriers to cloud adoption Enables cloud hosting & IaaS compliance Puts customers in control of security


The Architectural Challenges

• Inconsistent Control (you don’t own everything)– The only thing you can count on is guest VM ownership

• Elasticity (not all servers are steady-state)– Cloud-bursting, stale servers, dynamic provisioning

• Scalability (highly variable server counts)– May have one dev server or 1,000 production web

servers

• Portability (same controls work anywhere)– Nobody wants multiple tools or IaaS provider lock-in


Halo’s Architectural Goals• Broad security capabilities at the guest VM

level– Better security by deploying where there’s broader

control– Server-level security scales in lockstep with servers– Security moves in real-time along with servers

• Built from the ground up so we could…– Make it perform well (don’t crush my server)– Make it truly portable (one pane of glass, please)– Make it easily repeatable (automate everything)

• Do it all at cloud-scale and cloud-speed


How It Works

Halo

Halo Grid

• Halo Daemon– Ultra light-weight agent

– Installed on server images

– Automatically provisioned

• Halo Grid– Elastic compute grid

– Hosted by CloudPassage

– Does the heavy lifting for the Halo Daemons

Halo Daemon

www-1

www-1


www-1

ComputeGrid

UserPortal

https

REST API Gateway

https

Clo

udPa

ssag

e

Halo

Halo Daemon

Policies,Commands, Reports

www-1

Halo

Halo Daemons are installed on cloud server instances using CloudPassage-provided scripts or tools like Chef, Puppet or RightScale.


www-1

ComputeGrid

UserPortal

https

REST API Gateway

https

Clo

udPa

ssag

e

Halo


www-1

Halo

Policies & Command

s

The Halo Daemon retrieves security policies and commands from the Halo Grid.

Policy templates are provided and can be customized via Halo User Portal or Halo REST API.


www-1

ComputeGrid

UserPortal

https

REST API Gateway

https

Clo

udPa

ssag

e

Halo


www-1

Results & Updates

Halo

The Halo Daemon executes commands and applies policies, returning results and new server state & event data to the Halo Grid.

Some examples include server account data, configuration details, and network changes.


www-1

ComputeGrid

UserPortal

https

REST API Gateway

https

Clo

udPa

ssag

e

Halo


www-1

Halo

State and Event

Analysis

The Halo Grid analyzes data returned by the Halo Daemon and issues new commands to to server Daemons to update security controls.

The Halo Grid provides 95% or more of analytics compute power, preserving server resources and performance.


www-1

ComputeGrid

UserPortal

https

REST API Gateway

https

Clo

udPa

ssag

e

Halo


www-1

Halo

Users receive alerts, reports, and other data via email, the Halo Portal, and

the Halo REST API.


www-4

Halo

www-3www-1

Halo

ComputeGrid

UserPortal

https

REST API Gateway

https

Clo

udPa

ssag

e

Halo


www-1

Halo

Halo Daemons are automatically deployed to new servers created through cloud-bursting or server cloning.

This ensures that security is consistent by making it part of the cloud stack itself.

www-2

Halo


Halo Is Completely Portable

Single pane of glass across hosting models• Scales and bursts with dynamic cloud environments• Not dependant on chokepoints, static networks or fixed IPs• Agnostic to cloud provider, hypervisor or hardware

Public Cloud Hybrid Cloud

Private Cloud Traditional Hardware


Basic NetSec Pro

Firewall and Access Control

Dynamic Firewall Automation ✔ ✔ ✔

GhostPorts Multi-Factor Authentication ✔ ✔

Server Security, Integrity, and Intrusion Detection

Server Account Management ✔ ✔

Configuration Security Monitoring ✔

Software Vulnerability Assessment ✔

File Integrity Monitoring ✔

Integration, Management, Support

Web Management Portal ✔ ✔ ✔

RESTful API Access ✔ ✔ ✔

Halo Event Logging & Alerting ✔ ✔ ✔

Data Retention One day(FW events)

Two years(FW events)

Two years(All scans)

Technical Support Community Professional Professional

Servers Protected Up to 5 Unlimited Unlimited

Pricing per server (100 server/month subscription) FREE

3.5¢ per server-hour or

less

10¢ per server-hour

or less

Features and Pricing


Try Halo Pro - 5 Minute Setup

Register at cloudpassage.com

Configure security policies in Halo web

portal

Install daemons on cloud servers

Free for up to

5 servers!


Summary

Cloud deployments require a new approach to security

Halo is the only security platform purpose-built for the cloud

All you need to secure your cloud servers


Thank You

cloudpassage overview

Technology

people www

usage www

cloud security

metered utility www

tolerable cloud servers

cloudhosted servers

control of security

access toprivate cloud