Fair enough. It is your virtual environment so you should protect it. But what, in terms of security, should you expect from your provider? Before I answer that, consider the move lately to scrap the “trust, but verify” paradigm in favor of “trust nothing.” That may seem harsh but is really how we have conducted information security since the beginning. We never start with a wide open firewall and then start closing it down. We start with “allow nothing” and open only what we need to. In keeping with that philosophy, the answer to what you should expect in terms of cloud security from a cloud provider is nothing.
That only makes sense, actually. Your provider doesn't know your business like you do so, at the end of the day, securing it is your problem. And quite a problem it can be. However, this month's First Look may offer a ray of sunshine behind those clouds, as securing your virtual servers is exactly what CloudPassage does. It differs from the only other similar provider that I know of in that it provides some additional services beyond virtual machine (VM)-level firewalling. Add vulnerability and access management and you start to get a comprehensive suite of cloud security services at the VM level.
What kinds of organizations can benefit from adding their own security to the public cloud? Social media providers, software-as-a-service companies and suppliers of large-scale compute resources come to mind. That sounds pretty heavy – lots of compute resources in use, etc.
Adding something else to the mix might have a deleterious effect on the virtual servers in the cloud. That might be true if you added something that needs a lot of resources itself. CloudPassage's Halo Daemon does not have that requirement. All the Daemon does is collect information about its server and transmit it out to an external entity called the Halo Grid.
The Halo Grid is, itself, a virtual environment. It performs all of the analysis necessary to ensure that the servers reporting to it are free from security problems. If something is out of kilter, it tells the Halo Daemon what to do and the Daemon does it – bringing the server back to being secure.
There are some nice features in the firewall piece of this offering. For example, it supports incoming and outgoing rules so that if a bot does get onto a server and tries to phone home, it can be stopped.
For a company just over a year old, CloudPassage has a remarkably sophisticated product. There is a complete policy template library to help users get started. The configuration and policies look much like any firewall I've ever seen. For experienced security admins, configuration and policy implementation should be intuitive. Newbies will pick it up fast by using the provided policies as guides.
Today, the product is available for Linux only, Linux being the 800-pound gorilla in the server world. But the company plans a Windows version soon.
Overall, this is both an interesting product and a unique business and delivery model. If you plan to migrate your company's servers to the public cloud, have a look. You can try it out at no risk and might find that it is exactly the silver lining your clouds are looking for.
Price: CloudPassage offers a free version of Halo SVM and Halo Firewall products allowing customers to secure an unlimited number of cloud servers. Emerging products and advanced features will be offered as paid upgrades to extend customer capabilities as their cloud infrastructures grow.
What it does: Provides security management for virtual servers in a public cloud. Currently this includes firewall management, vulnerability management and access management.
What we liked: This is a really unique approach to a very serious problem. Since cloud providers look to their customers to provide their own information security, the process of protecting information on servers in a public cloud can be challenging.
What we didn't like: I am cautious about this one because it is so new (as is the company). However, at this point I see nothing not to like. I am a bit concerned about the business model. I would not want to see a great idea such as this one die well before its time for lack of funding.