More Related Content Similar to Securing Your Cloud Servers with Halo NetSec Similar to Securing Your Cloud Servers with Halo NetSec (20) More from CloudPassage (16) Securing Your Cloud Servers with Halo NetSec1. Securing Your Cloud
Servers with Halo NetSec
Rand Wacker
VP of Products
rand@cloudpassage.com
@randwacker
© 2012 CloudPassage Inc.
2. CloudPassage Halo was
purpose-built to
deliver real security
for servers in the cloud.
© 2012 CloudPassage Inc.
3. What does CloudPassage do?
Security for virtual servers running
in public and private clouds
Firewall Compromise &
Management intrusion alerting
Server Security & compliance
Configurations auditing
Server account Vulnerability
Management Management
© 2012 CloudPassage Inc.
4. CloudPassage Halo Packages
Halo Basic
Free security for initial cloud migrations
NEW Halo NetSec
Full perimeter protection and security integration
Halo Professional
Comprehensive security and compliance controls
© 2012 CloudPassage Inc.
6. Cloud Security Is New
private datacenter
www-1 www-2 www-3 www-4
public cloud
© 2012 CloudPassage Inc.
7. Cloud Security Is Different
private datacenter
www-1 www-2 www-3 www-4
www-4
public cloud
© 2012 CloudPassage Inc.
8. Cloud Security Is Complex
www-7 www-8 www-9 www-10
Cloud Provider B
www-4 www-5 www-6
www-7 www-8 www-9 www-10
Cloud Provider A
www-1 www-2 www-3 www-4
Private Datacenter
© 2012 CloudPassage Inc.
9. Security Products Aren’t Adapting
Metered Usage
www-7 www-8 www-9 www-10
www-4 www-5 www-6
Cloud Provider B
Temporary &
Elastic Deployments
Cloud Provider A
www-1 www-2 www-3
Multiple Cloud
Environments
Private Datacenter
© 2012 CloudPassage Inc.
11. Cloud Security Responsibility
Responsibility
Data
AWS Shared Responsibility Model
Customer
“…the customer should assume responsibility
App Code
and management of, but not limited to, the
guest operating system.. and associated
application software...” App Framework
“it is possible for customers to enhance security
Operating System
and/or meet more stringent compliance
requirements with the addition of… host Virtual Machine
based firewalls, host based intrusion
Responsibility
detection/prevention, encryption and key Hypervisor
Provider
management.”
Compute & Storage
Amazon Web Services: Overview of Security
Processes Shared Network
Physical Facilities
© 2012 CloudPassage Inc.
12. Survey: Cloud Providers
Question: Which cloud hosting providers do you use?
50%
30%
16%
9%
6%
Amazon EC2 Rackspace Terramark GoGrid Other
© 2012 CloudPassage Inc. Source: CloudPassage CloudSec Community Survey
13. Survey: Cloud Security Practices
Question: How do you secure your cloud servers today?
Open source or
custom-developed
tools
Commercial Tool
We're not securing
our cloud servers
My provider does it
for me
Amazon Security
Group
Source: CloudPassage CloudSec Community Survey
© 2012 CloudPassage Inc.
14. Survey: Cloud Security Concerns
Question: What security concerns are most important to you regarding
public cloud computing?
Multiple Choice
Lack of perimeter defenses and/or network
44%
control
Multi-tenancy of infrastructure or
40%
applications
Achieving compliance with PCI or other
26%
standards
Provider access to guest servers 24%
Enterprise security tools don't work in the
23%
cloud
© 2012 CloudPassage Inc. Source: CloudPassage CloudSec Community Survey
16. Halo NetSec provides
firewalling, 2-factor
authentication, and full
automation for the protection
of cloud servers.
© 2012 CloudPassage Inc.
17. Halo NetSec:
Dynamic Cloud Firewall
© 2012 CloudPassage Inc.
18. Traditional Perimeter Security
private datacenter
App DB App DB
Server Server
Load App Load App
Balancer Server Balancer Server
Firewall
© 2012 CloudPassage Inc.
19. Dynamic Cloud Firewall
Load
Balancer
FW
Halo
App App
Server Server
FW FW
Halo Halo
DB
Master
FW
Halo
public cloud
© 2012 CloudPassage Inc.
20. Dynamic Cloud Firewall
Load Load
Balancer Balancer
FW FW
Halo Halo
App App App
Server Server Server
FW FW FW
Halo Halo Halo
DB DB
Master Slave
FW FW
Halo Halo
public cloud
© 2012 CloudPassage Inc.
21. Dynamic Cloud Firewall
Load Load
Balancer Balancer
FW FW
Halo Halo
App App App
Server Server App
Server
FW FW Server FW
IP
Halo Halo Halo
DB DB
Master Slave
FW FW
Halo Halo
public cloud
© 2012 CloudPassage Inc.
22. Dynamic Cloud Firewall
Load Load
Balancer Balancer
FW FW
Halo Halo
App App
Server Server App
FW FW Server
IP
Halo Halo
DB DB
Master Slave
FW FW
Halo Halo
public cloud
© 2012 CloudPassage Inc.
23. Multi-Cloud Firewall
App App DB DB App App
Server Server Server Server
FW FW FW FW FW FW
Halo Halo Halo Halo Halo Halo
US West Cloud US East Cloud
Firewall
DB DB
Halo Halo
Private Datacenter
© 2012 CloudPassage Inc.
24. Multi-Cloud Firewall
App App DB DB App App
Server Server Server Server
FW FW FW FW FW FW
Halo Halo Halo Halo Halo Halo
US West Cloud US East Cloud
Firewall
DB DB
Halo Halo
Private Datacenter
© 2012 CloudPassage Inc.
27. Halo NetSec:
GhostPorts 2-Factor
Authentication
© 2012 CloudPassage Inc.
28. GhostPorts 2-Factor Auth
YubiKey-generated one-time
password
USB token contains no batteries
or moving parts
Prevent brute force attacks on
SSH and web applications
© 2012 CloudPassage Inc.
35. Halo Reduces Your Workload
Things you DON’T need to script with
CloudPassage Halo
Managed Automatically Monitored Continually
• Add new server to policy • Verify firewall rules match
group policy
• Remove firewall policies • Alert administrators of
when servers are retired missing servers
• Scan for vulnerabilities of • Monitor critical server
installed software configuration files for
packages security posture
• Many, many more… • Many, many more…
© 2012 CloudPassage Inc.
36. Adding New Server Accounts
www-1 www-2
Security
Operations
Portal
Halo Halo
public
cloud
Enterprise
Provisionin GhostPorts Access, Local
g System Server Accounts
CloudPassa
ge Halo
Corporate
Directory
RESTful
API Gateway Halo Grid
private datacenter
© 2012 CloudPassage Inc.
37. Other Cool Halo/API Tricks
• Set password reset requirements for a server user account.
• Find server accounts that don't have passwords (it happens)
• Find those spooky root-owned setuid files.
• Generate alerts if PID files go missing.
• Generate an alert if someone is in a group they shouldn't be in (like wheel).
• Generate massively detailed reports of server configuration status for auditors (keep 'em
busy for weeks).
• Get a report of every server that a user *does not* have an account on.
• Get a report of every server that a user has an account on.
• Get alerted if a new cloud server gets created.
• Learn what process that TCP/IP port is bound to.
• Make sure that init.d startup scripts can't be tampered with by non-root users.
• Make sure that services are not running with excessive privileges.
• Monitor servers to detect old user accounts that should have been cleaned up, but might
have gotten missed.
Many, many more at
community.cloudpassage.com
© 2012 CloudPassage Inc.
39. How It Works
Halo
• Halo Daemon Daemon
www-1
– Ultra light-weight software
– Installed on server image
Halo
– Automatically provisioned
www-1
• Halo Grid
– Elastic compute grid
– Hosted by CloudPassage
– Does the heavy lifting for the Halo
Daemons Halo Grid
© 2012 CloudPassage Inc.
40. www-1
Alerts, Reports
www-1 www-2
and Trending www-3
www-4
Halo Halo
Halo
Halo
User
Portal
CloudPassage
https
Halo
Policies,
https
Commands,
RESTful Reports Compute
API Gateway Grid
© 2012 CloudPassage Inc.
42. CloudPassage Halo Packages
Halo Basic
Free security for initial cloud migrations
NEW Halo NetSec
Full perimeter protection and security integration
Halo Professional
Comprehensive security and compliance controls
© 2012 CloudPassage Inc.
43. Features and Pricing
Basic NetSec Pro
Network Security New!
Host Firewall Management ✔ ✔ ✔
GhostPorts Multi-Factor Authentication ✔ ✔
Host Security
Server Exposure Monitoring ✔ ✔ ✔
Software Vulnerability Monitoring ✔ ✔ ✔
Account & Access Scanning ✔ ✔ ✔
Cloud Server Event Logging & Alerting ✔ ✔ ✔
File Integrity Monitoring ✔
Data Storage One day Two years Two years
(FW events) (All scans)
Maximum Scanning Frequency Daily Daily Hourly
Integration, Management Support
Web Management Portal ✔ ✔ ✔
RESTful API Access ✔ ✔
Professiona
Technical Support Community Professional
l
Servers Protected Up to 25 Unlimited Unlimited
Pricing FREE 3.5¢/hour 10¢/hour
44. FREE 5 Minute Setup
Register at
cloudpassage.com/register
Install daemons on cloud
servers
Configure security policies
in Halo web portal
© 2012 CloudPassage Inc.
45. Summary
Cloud deployments require a new
approach to security
Halo is the only security platform
purpose-built for the cloud
All you need to secure your cloud
servers
© 2012 CloudPassage Inc.
46. Q&A Rand Wacker
rand@cloudpassage.com
@randwacker
© 2012 CloudPassage Inc.
47. Thank You!
For more information:
info@cloudpassage.com
© 2012 CloudPassage Inc.