The document discusses security challenges for software-as-a-service (SaaS) businesses and how CloudPassage's Halo platform addresses them. Cloud-based development complicates traditional security approaches. Halo automates security controls across cloud infrastructures to enhance visibility, simplify compliance, and support agile development without slowing it down. Case studies show how Halo has helped large companies secure their transition to SaaS-based models and secure acquisitions built in public clouds.
14. Cloud Security Challenges
• There are many security challenges in cloud computing
• Some are more technical
– Tracking data migration from abc (mobility)
– Data/customer segmentation (Multi-tenancy)
– Identity and Access Management
– Incident response in multitenant environments
• Some are more “macro” level issues:
– Policy and Risk Assessment
– Governance
– Audit requirements
– Compliance
“If you’re a large
enterprise, somebody in
your organization is using
cloud computing, but
they’re not telling you.”
--James Staten, principal
analyst at Forrester
Research
15. The Role of Virtualization in the Cloud
• Virtualization is a cloud enabler
– Pooled resources
– Abstracted components and applications
– Shared infrastructure
– Resource and data migration and replication
• Virtualization technologies have security issues, too:
– More complexity, more moving parts
– New configuration controls
– Segmentation and separation
– Monitoring
16. Multi-tenancy: Security Issues
• One physical platform may host numerous
distinct entities’ data and services
• Critical needs arise for:
– Segmentation & Isolation
– Policy boundaries
– Monitoring (availability/security)
– Management
• Needs may differ for private vs. public cloud
types
17. Visibility
• Visibility is a challenge in cloud
environments – why?
– Customers do not have visibility into the
internal security controls in place at a cloud
provider facility
– Cloud providers need controls that are
flexible and dynamic across different
environments
19. Change Management in the Cloud
• Change management is one of the most important
operational aspects of the cloud
• Cloud computing is built on a foundation of
consistency and uniformity
– Changes can affect this dramatically
• Issues:
– Virtualized infrastructure increases the rate of change due
to dynamic nature
– Virtualization and multi-tenancy add new levels of
complexity
• App Virtual OS Virtual Hardware Storage
Hypervisor Platform Physical Hardware
20. Automation and DevOps
• In many SaaS cloud environments today, numerous
small/rapid code pushes are becoming necessary
– Automating this process with proper test and risk
assessment is key
• DevOps strives for a number of goals and focal
areas:
– Automated provisioning
– No-downtime deployments
– Monitoring
– “Fail fast and often”
– Automated builds and testing
23. Host-based Security Agents
• The biggest issue with host-based security
agents is resource consumption
– Too much RAM, CPU, etc.
– This is a serious issue in virtualized environments
• A lightweight, specially-adapted agent is needed
• Tight integration with the OS kernel and
components is also key
– Local scans and monitoring need to be as low-impact
as possible
– Scalability and centralized control are critical
26. Confidential NDA material. Do not distribute.
Security and Compliance Automation
Protect servers and applications in any private,
public, or hybrid cloud environment
Server Account
Managements
Security Event
Alerting
File Integrity
Monitoring
REST API
Integrations
Broad set of security controls, critical for
securing cloud-hosted applications
Firewall Automation
System & Application
Config Security
Multi-Factor
Authentication
Vulnerability &
Patch Scanning
28. Workload VM Instance
Operating System
Application Code
System Administration Services
Application
Engine
App Storage
Volume
System Storage
Volume
Halo Daemon
1
Halo activates firewall on boot, applies latest
policies, and orchestrates ongoing policy updates.
1
2
Halo secures privileged access via dynamic firewall
rules triggered by multi-factor user authentication.
2
4
Application configurations are scanned for
vulnerabilities and are continuously monitored.
4
5
Cryptographic integrity monitoring ensures app
code and binaries are not compromised.
5
6
Halo monitors system binary and config files for
correct ACLs, file integrity, and vulnerabilities.
6
Halo scans O.S. configurations for vulnerabilities
and continuously monitors O.S. state and activity.
3
3
7
Application data stores are monitored for access;
outbound firewall rules prevent data extrusion.
7