This is a guest post written and contributed by Chris Brenton, Cloud Security Architect for CloudPassage, a Rackspace Cloud Tools partner. CloudPassage Halo is the first fully elastic, portable security solution for protecting Cloud Servers.
Hello cloud owners! I’m Chris Brenton, Cloud Security Architect at CloudPassage. Our flagship product is called Halo, and through the Rackspace Cloud Tools program, Halo can help you secure your Cloud Servers.
Does Cloud Server Security Matter?
Absolutely! We've gotten away with less-than-optimal server security for years because of network perimeter security. We've buried weak, exploitable hosts behind layers of firewalls, network IDS devices and perimeter gateways. None of these mechanisms are effective in public cloud environments, if they work at all. Cloud Infrastructure-as-a-Service (IaaS ) offers huge benefits, but the tradeoff is giving up some control over hardware and networking - the two things critical to creating effective network perimeter security.
This means that Cloud Servers need to be far tougher than their data-center counterparts. They’re largely on their own to defend themselves. It’s critical that host-based firewalls, access privileges, vulnerability management, and intrusion prevention are effective. But how do you accomplish this without the benefits of a fully controlled perimeter?
Taking a New View
Effective Cloud Server protection requires embracing a new reality: the boundaries of the Cloud Server itself represent the new perimeter.
In order for cloud security to work, you need location independent security tools. This ensures security controls aren't locked to a single network control point, thus making it easier to move servers from the internal network into public space. Cloud security needs to scale, both in terms of technical performance and operational overhead. Let's face it - if security is too painful to deal with, it's going to be ignored.
Mapping those requirements to IaaS, it's clear that the Cloud Server is where security needs to happen. The Cloud Server (a.k.a. virtual machine or guest) is the unit of portability, as well as the unit of scale, in today's IaaS deployments. When you move, scale, deploy, clone or burst something in cloud IaaS, it happens at the virtual machine level.
Halo: Server Security From Within
So we've seen that IaaS makes the virtual machine is the lowest common denominator for control, scale and portability. This is why CloudPassage Halo is designed to implement security at the virtual machine level as a way to keep up with the dynamic nature of IaaS.
Security controls provided by Halo are easy to deploy, yet are scalable, portable and have almost no resource or performance impact on your server. These are critical characteristics for securing an IaaS cloud farm. Here's some more detail:
• Elastic Security – After Halo is installed on images used to create new servers, Halo automatically deploys on the new servers and inherits the parent image’s latest security policies. Server security is automatic when you cloudburst or scale.
• Scalable Security – The Halo architecture combines the ultra-light Halo Daemon with the elastic Halo Grid to offload the vast majority of security processing from your Cloud Servers. This means server security that scales seamlessly along with cloud farms.
• Portable Security – The Halo architecture enables Cloud Servers to be moved from data center to cloud and back, while retaining full security controls. IP address changes and other location dependent factors are updated automatically.
CloudPassage Halo was designed to enable IaaS users to secure their Cloud Servers with easy to use, yet highly scalable, automated tools. We hope you'll give it try. We think you'll find it a simple yet effective approach to secure your Cloud Servers.
After a five-minute installation process, Halo provides vulnerability management, compliance monitoring, centralized iptables/NetFilter firewall management, and server account auditing. Future features will include intrusion detection & prevention, remote server forensics and fully portable host-to-network VPN capabilities.
For more information, check out http://www.cloudpassage.com/. You can also see a quick overview video or register for a free CloudPassage Halo account.
Want to learn more? Have questions? Join us for a live webinar:
When: Thursday, July 14, 2011 @ 2PM CDT
Topic: Infrastructure Security in the Cloud
Cameron Nouri, from the Rackspace Business Development team, is your connection to the Rackspace Cloud Tools Partner Ecosystem. If you have developed solutions or services that makes life easier for people to take advantage of the cloud he would like to talk to you! You can contact Cameron any time to learn more about this unique program and the benefits for your business.