Securing Your Cloud Servers with Halo NetSec

Securing Your Cloud
Servers with Halo NetSec
Rand Wacker
VP of Products
rand@cloudpassage.com
@randwacker

© 2012 CloudPassage Inc.

CloudPassage Halo was
purpose-built to
deliver real security
for servers in the cloud.


What does CloudPassage do?
Security for virtual servers running
in public and private clouds

Firewall Compromise &
Management intrusion alerting

Server Security & compliance
Configurations auditing

Server account Vulnerability
Management Management


CloudPassage Halo Packages
Halo Basic
Free security for initial cloud migrations

NEW Halo NetSec
Full perimeter protection and security integration

Halo Professional
Comprehensive security and compliance controls


Cloud Requires A New
Approach to Security


Cloud Security Is New
private datacenter

www-1 www-2 www-3 www-4

public cloud


Cloud Security Is Different
private datacenter


www-4

public cloud


Cloud Security Is Complex


Cloud Provider B
www-4 www-5 www-6


Cloud Provider A

Private Datacenter


Security Products Aren’t Adapting

Metered Usage

www-4 www-5 www-6
Cloud Provider B

Temporary &
Elastic Deployments
Cloud Provider A
www-1 www-2 www-3

Multiple Cloud
Environments
Private Datacenter


Cloud Security
Responsibility


Cloud Security Responsibility

Responsibility
Data
AWS Shared Responsibility Model

Customer
“…the customer should assume responsibility
App Code
and management of, but not limited to, the
guest operating system.. and associated
application software...” App Framework

“it is possible for customers to enhance security
Operating System
and/or meet more stringent compliance
requirements with the addition of… host Virtual Machine
based firewalls, host based intrusion

Responsibility
detection/prevention, encryption and key Hypervisor

Provider
management.”
Compute & Storage
Amazon Web Services: Overview of Security
Processes Shared Network

Physical Facilities


Survey: Cloud Providers
Question: Which cloud hosting providers do you use?

50%

30%

16%
9%
6%

Amazon EC2 Rackspace Terramark GoGrid Other

© 2012 CloudPassage Inc. Source: CloudPassage CloudSec Community Survey

Survey: Cloud Security Practices
Question: How do you secure your cloud servers today?

Open source or
custom-developed
tools
Commercial Tool

We're not securing
our cloud servers

My provider does it
for me

Amazon Security
Group

Source: CloudPassage CloudSec Community Survey

Survey: Cloud Security Concerns
Question: What security concerns are most important to you regarding
public cloud computing?
Multiple Choice

Lack of perimeter defenses and/or network
44%
control

Multi-tenancy of infrastructure or
40%
applications

Achieving compliance with PCI or other
26%
standards

Provider access to guest servers 24%

Enterprise security tools don't work in the
23%
cloud

© 2012 CloudPassage Inc. Source: CloudPassage CloudSec Community Survey

Introducing Halo NetSec


Halo NetSec provides
firewalling, 2-factor
authentication, and full
automation for the protection
of cloud servers.


Halo NetSec:
Dynamic Cloud Firewall


Traditional Perimeter Security
private datacenter

App DB App DB
Server Server

Load App Load App
Balancer Server Balancer Server

Firewall



Load
Balancer
FW

Halo

App App
Server Server
FW FW

Halo Halo

DB
Master
FW

Halo

public cloud



Load Load
Balancer Balancer
FW FW

Halo Halo

App App App
Server Server Server
FW FW FW

Halo Halo Halo

DB DB
Master Slave
FW FW

Halo Halo

public cloud



Load Load
Balancer Balancer
FW FW

Halo Halo

App App App
Server Server App
Server
FW FW Server FW

IP
Halo Halo Halo

DB DB
Master Slave
FW FW

Halo Halo

public cloud



Load Load
Balancer Balancer
FW FW

Halo Halo

App App
Server Server App
FW FW Server
IP
Halo Halo

DB DB
Master Slave
FW FW

Halo Halo

public cloud


Multi-Cloud Firewall

App App DB DB App App
Server Server Server Server
FW FW FW FW FW FW

Halo Halo Halo Halo Halo Halo

US West Cloud US East Cloud

Firewall

DB DB

Halo Halo

Private Datacenter


Halo NetSec:
GhostPorts 2-Factor
Authentication


GhostPorts 2-Factor Auth

YubiKey-generated one-time
password
USB token contains no batteries
or moving parts
Prevent brute force attacks on
SSH and web applications


DB
Server
FW

Halo



DB
Server
FW

Halo

CloudPassa
ge Halo
https

Halo Grid


Halo NetSec:
Integration API


Halo Reduces Your Workload
Things you DON’T need to script with
CloudPassage Halo

Managed Automatically Monitored Continually
• Add new server to policy • Verify firewall rules match
group policy
• Remove firewall policies • Alert administrators of
when servers are retired missing servers
• Scan for vulnerabilities of • Monitor critical server
installed software configuration files for
packages security posture
• Many, many more… • Many, many more…

Adding New Server Accounts

www-1 www-2

Security
Operations
Portal
Halo Halo
public
cloud

Enterprise
Provisionin GhostPorts Access, Local
g System Server Accounts

CloudPassa
ge Halo
Corporate
Directory
RESTful
API Gateway Halo Grid
private datacenter


Other Cool Halo/API Tricks
• Set password reset requirements for a server user account.
• Find server accounts that don't have passwords (it happens)
• Find those spooky root-owned setuid files.
• Generate alerts if PID files go missing.
• Generate an alert if someone is in a group they shouldn't be in (like wheel).
• Generate massively detailed reports of server configuration status for auditors (keep 'em
busy for weeks).
• Get a report of every server that a user *does not* have an account on.
• Get a report of every server that a user has an account on.
• Get alerted if a new cloud server gets created.
• Learn what process that TCP/IP port is bound to.
• Make sure that init.d startup scripts can't be tampered with by non-root users.
• Make sure that services are not running with excessive privileges.
• Monitor servers to detect old user accounts that should have been cleaned up, but might
have gotten missed.

Many, many more at
community.cloudpassage.com

CloudPassage Halo
Architecture


How It Works
Halo
• Halo Daemon Daemon
www-1
– Ultra light-weight software
– Installed on server image
Halo
– Automatically provisioned
www-1

• Halo Grid
– Elastic compute grid
– Hosted by CloudPassage
– Does the heavy lifting for the Halo
Daemons Halo Grid


www-1

Alerts, Reports
www-1 www-2
and Trending www-3
www-4

Halo Halo
Halo
Halo

User
Portal

CloudPassage
https

Halo
Policies,
https
Commands,
RESTful Reports Compute
API Gateway Grid


Getting Started


Features and Pricing
Basic NetSec Pro
Network Security New!

Host Firewall Management ✔ ✔ ✔

GhostPorts Multi-Factor Authentication ✔ ✔

Host Security
Server Exposure Monitoring ✔ ✔ ✔
Software Vulnerability Monitoring ✔ ✔ ✔
Account & Access Scanning ✔ ✔ ✔
Cloud Server Event Logging & Alerting ✔ ✔ ✔

File Integrity Monitoring ✔

Data Storage One day Two years Two years
(FW events) (All scans)

Maximum Scanning Frequency Daily Daily Hourly

Integration, Management Support
Web Management Portal ✔ ✔ ✔

RESTful API Access ✔ ✔

Professiona
Technical Support Community Professional
l

Servers Protected Up to 25 Unlimited Unlimited

Pricing FREE 3.5¢/hour 10¢/hour

FREE 5 Minute Setup

Register at
cloudpassage.com/register

Install daemons on cloud
servers

Configure security policies
in Halo web portal


Summary
Cloud deployments require a new
approach to security

Halo is the only security platform
purpose-built for the cloud

All you need to secure your cloud
servers


Q&A Rand Wacker
rand@cloudpassage.com
@randwacker


Thank You!
For more information:
info@cloudpassage.com


Securing Your Cloud Servers with Halo NetSec

More Related Content

What's hot

Similar to Securing Your Cloud Servers with Halo NetSec

More from CloudPassage

Recently uploaded

Securing Your Cloud Servers with Halo NetSec