CloudPassage Overview

1,623 views

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,623
On SlideShare
0
From Embeds
0
Number of Embeds
16
Actions
Shares
0
Downloads
58
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

CloudPassage Overview

  1. 1. CloudPassage Overview© 2012 CloudPassage Inc.
  2. 2. ® CloudPassage Halo SaaS-delivered security and compliance automation for public, private and hybrid cloud servers Dynamic Cloud System Integrity Firewall Automation Monitoring & IDS Multi-Factor Server Account Authentication Management Server Vulnerability Server Security Scanning Events & Alerting  Eliminates barriers to cloud adoption  Enables cloud hosting & IaaS compliance  Puts customers in control of security© 2012 CloudPassage Inc.
  3. 3. CloudPassage Snapshot Halo® Security Offering • Production users since July 2010 • Publicly accessible since Jan 2011 • Commercial release Oct 2011 Early Adoption • Hundreds of active deployments Recent Awards • 5000+ servers secured • Millions of scans completed Company Background • Founded January 2010 • 34 employees & FTEs • $21m in venture funding Our Investors© 2012 CloudPassage Inc.
  4. 4. What’s So Different? • Servers used to be highly isolated private datacenter – Bad guys clearly on the outside – Layers of perimeter security www-1 www-2 www-3 – Poor configurations were tolerable • Cloud servers more exposed – Outside of perimeter protections – Little network control or visibility – No idea who’s next door • Sprawling, multiplying exposures – Rapidly growing attack surface area – More servers = more vulnerabilities – More servers ≠ more people www-4 www-5 www-6 • Fraudsters target cloud servers www-7 www-8 www-9 www-10 – Softer targets to penetrate – No perimeter defenses to thwart – Elasticity = more botnet to sell public cloud© 2012 CloudPassage Inc.
  5. 5. Cloud Security: A Shared Responsibility AWS Shared Responsibility Model Responsibility Data Customer “…the customer should assume responsibility App Code and management of, but not limited to, the guest operating system and associated App Framework application software...” Operating System “it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of host Virtual Machine Responsibility based firewalls, host based intrusion Hypervisor detection/prevention, encryption and Provider key management.” Compute & Storage Amazon Web Services: Overview of Security Shared Network Processes Physical Facilities© 2012 CloudPassage Inc.
  6. 6. Hybrid Cloud Dangers1 Attacker compromises Public Cloud Provider public cloud instance2 Root-kitted instance moved back to private cloud 1 www-7 www-8 www-9 www-103 Attacker now has access to private cloud and internal datacenter environment 3 2 www-1 www-2 www-3 www-4 www-4 www-5 www-6 www-7 Private / Hybrid Cloud Legacy Datacenter © 2012 CloudPassage Inc.
  7. 7. Why Existing Solutions Fail• Dramatically different network models – Big, flat, little to no physical segmentation – Virtual network backplanes complicate security – Reduced or no control over addressing, topology, hardware• Self-service provisioning – Little to no review, change control vanishes – Automation of compliance is absolutely critical – “Customers” may not understand security• Hybrid cloud environments – Development or temporary workloads into public clouds – Bringing cloud-hosted servers back into the enterprise – Multiple security tools & models© 2012 CloudPassage Inc.
  8. 8. Security Products Must Adapt Metered Utility www-7 www-8 www-9 www-10 Usage www-4 www-5 www-6 Cloud Provider B Temporary & Elastic Deployments Cloud Provider A www-1 www-2 www-3 Multiple Cloud Environments Private Datacenter© 2012 CloudPassage Inc.
  9. 9. CloudPassage Architecture© 2012 CloudPassage Inc.
  10. 10. How To Secure Cloud Servers Servers in hybrid and public clouds must be self- defending with highly automated controls like… Dynamic network Server compromise & access control intrusion alerting Configuration and Server forensics and package security security analytics Server account Integration & automation visibility & control capabilities© 2012 CloudPassage Inc.
  11. 11. ® Introducing CloudPassage Halo SaaS-delivered security and compliance automation for public, private and hybrid cloud servers Dynamic Cloud System Integrity Firewall Automation Monitoring & IDS Multi-Factor Server Account Authentication Management Server Vulnerability Server Security Scanning Events & Alerting  Eliminates barriers to cloud adoption  Enables cloud hosting & IaaS compliance  Puts customers in control of security© 2012 CloudPassage Inc.
  12. 12. The Architectural Challenges• Inconsistent Control (you don’t own everything) – The only thing you can count on is guest VM ownership• Elasticity (not all servers are steady-state) – Cloud-bursting, stale servers, dynamic provisioning• Scalability (highly variable server counts) – May have one dev server or 1,000 production web servers• Portability (same controls work anywhere) – Nobody wants multiple tools or IaaS provider lock-in© 2012 CloudPassage Inc.
  13. 13. Halo’s Architectural Goals• Broad security capabilities at the guest VM level – Better security by deploying where there’s broader control – Server-level security scales in lockstep with servers – Security moves in real-time along with servers• Built from the ground up so we could… – Make it perform well (don’t crush my server) – Make it truly portable (one pane of glass, please) – Make it easily repeatable (automate everything)• Do it all at cloud-scale and cloud-speed© 2012 CloudPassage Inc.
  14. 14. How It Works Halo• Halo Daemon Daemon www-1 – Ultra light-weight agent – Installed on server images Halo – Automatically provisioned www-1• Halo Grid – Elastic compute grid – Hosted by CloudPassage – Does the heavy lifting for the Halo Daemons Halo Grid© 2012 CloudPassage Inc.
  15. 15. www-1Halo Daemons are installed www-1on cloud server instancesusing CloudPassage-provided scripts or tools Halolike Chef, Puppet or HaloRightScale. Daemon User Portal CloudPassage https Halo Policies, https Commands, REST Reports Compute API Gateway Grid© 2012 CloudPassage Inc.
  16. 16. www-1The Halo Daemon retrievessecurity policies and www-1commands from the HaloGrid.Policy templates are Haloprovided and can becustomized via Halo UserPortal or Halo REST API. Policies & Commands User Portal CloudPassage https Halo Policies, https Commands, REST Reports Compute API Gateway Grid© 2012 CloudPassage Inc.
  17. 17. www-1The Halo Daemon executescommands and appliespolicies, returning results www-1and new server state & eventdata to the Halo Grid.Some examples include Haloserver accountdata, configurationdetails, and network changes. Results & Updates User Portal CloudPassage https Halo Policies, https Commands, REST Reports Compute API Gateway Grid© 2012 CloudPassage Inc.
  18. 18. www-1The Halo Grid analyzes datareturned by the Halo Daemonand issues new commands to www-1to server Daemons to updatesecurity controls.The Halo Grid provides 95% Haloor more of analytics computepower, preserving serverresources and performance. State and Event User Portal Analysis CloudPassage https Halo Policies, https Commands, REST Reports Compute API Gateway Grid© 2012 CloudPassage Inc.
  19. 19. www-1 Users receivealerts, reports, and other www-1 data via email, the HaloPortal, and the Halo REST API. Halo User Portal CloudPassage https Halo Policies, https Commands, REST Reports Compute API Gateway Grid© 2012 CloudPassage Inc.
  20. 20. www-1Halo Daemons areautomatically deployed tonew servers created www-1 www-2 www-3through cloud-bursting www-4or server cloning. Halo HaloThis ensures that security Halois consistent by making it Halopart of the cloud stackitself. User Portal CloudPassage https Halo Policies, https Commands, REST Reports Compute API Gateway Grid© 2012 CloudPassage Inc.
  21. 21. Halo Is Completely Portable Single pane of glass across hosting models • Scales and bursts with dynamic cloud environments • Not dependant on chokepoints, static networks or fixed IPs • Agnostic to cloud provider, hypervisor or hardware© 2012 CloudPassage Inc.
  22. 22. Features and Pricing Basic NetSec Pro Firewall and Access Control Dynamic Firewall Automation ✔ ✔ ✔ GhostPorts Multi-Factor Authentication ✔ ✔ Server Security, Integrity, and Intrusion Detection Server Account Management ✔ ✔ Configuration Security Monitoring ✔ Software Vulnerability Assessment ✔ File Integrity Monitoring ✔ Integration, Management, Support Web Management Portal ✔ ✔ ✔ RESTful API Access ✔ ✔ ✔ Halo Event Logging & Alerting ✔ ✔ ✔ Data Retention One day Two years Two years (FW events) (FW events) (All scans) Technical Support Community Professional Professional Servers Protected Up to 5 Unlimited Unlimited 3.5¢ per 10¢ per Pricing per server (100 server/month subscription) FREE server-hour server-hour or less or less© 2012 CloudPassage Inc.
  23. 23. Try Halo Pro - 5 Minute Setup Free Register at for up to cloudpassage.com 5 servers! Install daemons on cloud servers Configure security policies in Halo web portal© 2012 CloudPassage Inc.
  24. 24. Summary Cloud deployments require a new approach to security Halo is the only security platform purpose-built for the cloud All you need to secure your cloud servers© 2012 CloudPassage Inc.
  25. 25. Thank You© 2012 CloudPassage Inc.

×