MENLO PARK, Calif. — Whenever a survey, whitepaper or other industry research comes out evaluating cloud computing, most of the attributes of this trend-setting style of IT receive a ton of praise.
However, if there is a hesitation on a potential customer’s part about investing capital into such a system, the No. 1 point of contention is invariable: security.
If it’s outside your firewall, logic says, it’s out of your control. God knows what can happen to precious business data in the care of someone else who doesn’t care about it as much as you have to.
Now there is something new to be considered. If a new startup, CloudPassage, is to be believed — and it indeed states a strong case — those security issues may soon be history.
CloudPassage launched both itself and its new automated cloud-based security IT on Jan. 26. In the process, the Menlo Park, Calif.-based startup introduced what co-founder and CEO Carson Sweet calls the industry’s “first and only server and compliance products that specifically provide multiple-level security for elastic cloud servers.”
Freely Downloadable Hosted Cloud-System Security
CloudPassage’s first offerings out of the gate are called Halo SVM (Server Vulnerability Management) and Halo Firewall. These hosted products, Sweet said, provide data center managers with automated, highly accurate server exposure assessment, configuration — compliance monitoring and network-access control — thus simplifying the three most fundamental practices for securing servers in public and hybrid clouds.
There’s another interesting aspect to all this: CloudPassage is using the open-source product-introduction model of giving away a free version to start, then making available optional premium services as needed.
So what exactly does it that mean to provide hosted, multiple-level security for elastic cloud servers? It will mean a lot, if it all works the way it is purported to work. And there are multiple beta users who can vouch for this.
Sweet, who earned his stripes at data-security market leader RSA by serving as principal solutions architect for the company’s financial institutions business, told eWEEK that security simply doesn’t work the same way in public cloud environments as it does in data centers.
“When individual servers, especially in a cloud system, become vulnerable, you can clone those things so fast. And when you clone one of those servers, you’re also cloning every vulnerability,” Sweet said. “Pretty soon, a big cloud server farm can begin to look like a chunk of Swiss cheese. You replicate the problems along with the actual server.”
The Legendary ‘Typhoid Mary’ Cloud Server
Sweet told of one legendary cloud server he knew about “that was just plopped out there. We called it Typhoid Mary, because when that started to get replicated, it was really bad news.” He wasn’t at liberty to tell exactly which system was affected, but it was a large one — and it became a huge mess, he said.
“The interesting thing is that we have gotten away with this in the data center for years, because of the firewalls and other security on the hardware devices,” Sweet said. “But you can’t do that in the cloud.”
To this end, Sweet has come up with the Halo security package. Halo SVM and Firewall places a small (less than 2MB) agent on each server to serve as a centrally managed sounding board that works fast. In fact, thousands of server configuration points can be assessed in seconds, Sweet said, which enables users to maintain continuous intelligence on exposures and compliance, even in fast-growing cloud-server farms that can spawn dozens of VMs (virtual machines) at a time.
“This (Halo) makes all those VMs into little mobile tanks-they can move around, you can put them on a backup server, and so on,” Sweet said. “Some of our early (beta) users had tried some other open-source solutions here, but there were two big problems that kept coming up: No. 1, they crushed server performance-chewed up loads of CPU time. The second big problem was, they’re not elastic.”
Halo saves server performance because it is runs on CloudPassage’s cloud, not locally. Elasticity, or scalability, is the other big feature, Sweet said.
“For example, look at Amazon’s (cloud) model,” he said. “They say, ‘We’re happy to deal with security up to the hypervisor. When we hand you the password to that server, however, you’re on your own. Good luck.’ They tell you that you need to harden the server; you need to add firewalls, access controls and so on. They’re not elastic; they don’t want that responsibility.
“So when you move out to the cloud, you want that scalability. The server is the only place you have complete control. So what we did was create a technology that uses an actual grid-computing model to take all the performance issues away and put a little tiny piece of software on each VM to handle security.”
Smart Daemon Does the Reporting; Grid Does Heavy Lifting
The Halo daemon is smart enough to know that when it gets duplicated, it recognizes what has happened and reports back to the Web-based central admin architecture, Sweet said. Thus, admins know where every VM is, what it is running or not running, and what the security conditions are, at all times.
“The daemon is really the eyes and ears of the VM,” Sweet said. “The grid does all the heavy lifting.”
An added bonus is that whenever access policies change- for example, when an employee leaves or is added to the permissions list-or patch management or software updates modify the VM, the daemon for each VM is automatically updated. This can save a huge amount of time for system admins, Sweet said.
Halo Firewall controls server attacks with its unified cloud-wide firewall policy management from CloudPassage’s graphical Web interface, eliminating operational overhead and errors caused by manual host-based firewall management.
In the background, Halo Firewall also solves issues concerning dynamic public-cloud IP addressing, which is often cited by IAAS (Infrastructure as a Service) providers as a serious complication in cloud-server firewall management.
Starter Version Freely Available
CloudPassage, founded in 2009 and backed by a group of venture capitalists and angel investors (led by U.S. Venture Partners) is now offering a free version of Halo SVM and Halo Firewall, enabling customers to secure an unlimited number of cloud servers.
Sweet is confident that giving away a free version will eventually bring profits to his company.
Sweet said emerging products and advanced features will be offered as paid upgrades to extend customer capabilities as their cloud infrastructures grow. Both products can be freely downloaded from the CloudPassage Web site.