cloud passage - securing servers in public & hybrid clouds

© 2011 CloudPassage Inc.

Securing Servers in Public

& Hybrid Clouds

Carson Sweet

CEO, CloudPassage

RightScale User Conference

Watch the video of this presentation

http://www.vimeo.com/32535169

© 2011 CloudPassage Inc. www.cloudpassage.com

What’s So Different?



private datacenter

public cloud

www-1 www-2 www-3 www-4

• Servers used to be highly isolated

– Bad guys clearly on the outside

– Layers of perimeter security

– Poor configurations were tolerable



private datacenter

public cloud

www-1 www-2 www-3





• Cloud servers more exposed

– Outside of perimeter protections

– Little network control or visibility

– No idea who’s next door

www-4



private datacenter

public cloud

www-1 www-2 www-3









• Sprawling, multiplying exposures

– Rapidly growing attack surface area

– More servers = more vulnerabilities

– More servers ≠ more people

www-7

www-4

www-8

www-5

www-9

www-6

www-10



private datacenter

public cloud

www-1 www-2 www-3









• Sprawling, multiplying exposures

– Rapidly growing attack surface area

– More servers = more vulnerabilities

– More servers ≠ more people

• Fraudsters target cloud servers

– Softer targets to penetrate

– No perimeter defenses to thwart

– Elasticity = more botnet to sell

www-7

www-4

www-8

www-5

www-9

www-6

www-10


Got Cloud Servers? You Are On

The Hook!

“…the customer should assume

responsibility and management of, but not

limited to, the guest operating system.. and

associated application software...”

“…it is possible for customers to enhance

security and/or meet more stringent

compliance requirements with the addition of

host based firewalls, host based intrusion

detection/prevention, encryption and key

management.”

Amazon Web Services: Overview of Security

Processes

AWS Shared Responsibility Model

Cu

sto

mer

Resp

on

sib

ilityP

rovid

er

Resp

on

sib

ility

Physical Facilities

Hypervisor

Compute & Storage

Shared Network

Virtual Machine

Data

App Code

App Framework

Operating System


Dynamic network

access control

Configuration and

package security

Server account

visibility & control

Server compromise &

intrusion alerting

Server forensics and

security analytics

Integration & automation

capabilities

Servers in hybrid and public clouds must be self-

defending with highly automated controls like…

How To Secure Cloud Servers


Architectural Challenges

• Inconsistent Control (you don’t own everything)

– The only thing you can count on is guest VM ownership

• Elasticity (not all servers are steady-state)

– Cloudbursting, stale servers, dynamic provisioning

• Scalability (handle variable workloads)

– May have one dev server or 1,000 number-crunchers

• Portability (same controls work anywhere)

– Nobody wants multiple tools or IaaS provider lock-in


How We Did It: HaloTM Architecture

Halo

HaloCompute

Grid

• Halo Daemon

– Ultra light-weight software

– Installed on server image

– Automatically provisioned

• Halo Compute Grid

– Elastic compute grid

– Hosted by CloudPassage

– Does the heavy lifting for the Halo

Daemons (95% or more cycles)

Halo

Daemon

www-1

www-1


www-1

Halo ComputeGrid

UserPortal

https

RESTfulAPI Gateway

https

Clo

udP

assa

ge

Halo

Halo

Daemon

Policies,

Commands,

Reports

www-1

Halo


www-1

ComputeGrid

UserPortal

https

RESTfulAPI Gateway

https

Clo

udP

assa

ge

Halo

Policies,

Commands,

Reports

www-1

Halo

Policies &

Commands


www-1

ComputeGrid

UserPortal

https

RESTfulAPI Gateway

https

Clo

udP

assa

ge

Halo

Policies,

Commands,

Reports

Results &

Updates

Halo


www-1

ComputeGrid

UserPortal

https

RESTfulAPI Gateway

https

Clo

udP

assa

ge

Halo

Policies,

Commands,

Reports

www-1

Halo

State and

Event

Analysis


Alerts, Reports

and Trendingwww-1

ComputeGrid

UserPortal

https

RESTfulAPI Gateway

https

Clo

udP

assa

ge

Halo

Policies,

Commands,

Reports

www-1

Halo


Dynamic network

access control

Configuration and

package security

Server account

visibility & control

Server compromise &

intrusion alerting

Halo GhostPorts server

access control

Halo REST API for

integration & automation

Halo is a security Software-as-a-Service providing

all you need to secure your cloud servers.

HaloTM Functional Capabilities


Portable = “Works Anywhere”

Single pane of glass across hosting models• Scales and bursts with dynamic cloud environments

• Not dependant on chokepoints, static networks or fixed IPs

• Agnostic to cloud provider, hypervisor or hardware


RightScale Integration

• Deployment via RightScript (today)

– Extremely easy access to cloud server security

– Included in template = automatic security

– No other cloud management console can do this

• Self-Securing Server Templates (in R&D phase)

– CloudPassage IDs exposures & compliance issues

– RightScale consumes data, fixes issues via RightScripts

– New and existing servers become compliant “on the fly”


Questions? Comments? Ideas?

cloud passage - securing servers in public & hybrid clouds

Technology

door www

people www

tolerablecloud servers

vulnerabilitiesmore

isolatedbad guys

penetrateno perimeter

visibilityno idea whos

security andor