Virtualization and cloud security: Innovators 2015

December 14, 2015

This is an emerging category. For some time – if we can look relativistically – there was a notion that we could secure the cloud with the traditional protections we have used for years in the hardware-defined data center. That turned out to be only half correct. We still need the functionality of traditional protections – at least in part – but the manner of deployment is quite different.

This category looks at both virtualization and cloud security. At first blush these seem like the same thing. But it's a bit more complicated than that. First, the cloud is not a technology. Rather, it is a business construct. That means that all of the deployed technology is at the mercy of contracts, not products. These contracts determine what you can and can't do.

The cloud is not a technology. Rather, it is a business construct.

We just heard of a customer of Microsoft's email hosting service that was generating spam. Since it was important for the customer to pinpoint the source of the spam on its email network, the customer called on Microsoft to give a bit of assistance. The answer was “Absolutely not.” Microsoft “for security reasons” does not allow the customer direct access to its own email. So the email cloud hosting service, while technically capable of helping, refused because the policy prohibited what the customer wanted.

This section's Innovators deal with exactly that kind of challenge: maintaining control and security over your own assets even though they may sit on a public cloud with draconian policies. The additional issue is the emergence of hybrid cloud systems as hugely popular architectures. Hybrid clouds have their own challenges and our Innovators can address them as well.

So the cloud may be little more, technically, than a virtual environment on someone else's computers, but you still need to be able to protect your digital assets, no matter what type of virtual environment they sit in. That can mean that you are protecting data or applications. The applications may be hybrid – functioning in multiple environments as in a hybrid cloud where the data is one place and the app is in another, or, they may be situated in a coherent, contiguous environment, such as a public or private cloud, or in a software-defined data center.

Vendor CloudPassage  

Flagship product Halo 

Cost Subscription-based pricing, contact vendor for details. 

Innovation Moving the functionality of traditional security tools to a new security platform designed explicitly to offer traditional security functionality along with the unique security requirements of virtual and cloud environments. 

Greatest strength Ability to look forward and apply technology directly to business needs.

CloudPassage

CloudPassage describes its mission simply: “Help enterprises achieve the speed and agility promised by elastic infrastructure, while at the same time protect critical business assets and automate compliance." CloudPassage believes that as companies adopt a mixture of physical and software-defined data centers and cloud environments they need a security and compliance platform that works seamlessly across all these models.

According to CloudPassage, its flagship product, Halo, provides an on-demand, automated security platform that works in any combination of data centers, private clouds and public clouds. The company strives to solve four major challenges for enterprises: instant visibility across multiple environments, enabling security to move at DevOps2 speed, reduce attack surfaces through segmentation, and automate compliance. So what was the inspiration for this innovation?

One of the things CloudPassage has observed is that we are in the most transformational era ever. Every industry, it believes, will eventually move to the cloud. The company saw that five years ago and set out to build a system to provide security, compliance, enforcement, visibility and to make sure that these all are consistent over time. The company observed that traditional security tools do not work in the cloud. However, organizations still need all of the functionality. But in the cloud, as we have seen, for contractual reasons you don't have control. So the founders built a company specifically designed for a dynamic cloud environment.

So, what is next for this Innovator? Certainly because of the development of the cloud – it's in its infancy now – organizations, as they move up the application delivery stack will become more and more dependent on it. Many company's personalities are not particularly technical but they still need IT. So, given that the cloud is easier for people to use, they tend to adopt third-party services to accelerate their business. That won't work without the proper security and CloudPassage believes that it can provide that security. They also believe that only about one percent of security vendors can address the cloud fully. That's why they started the company.

Vendor Catbird Networks 

Flagship product Catbird Insight and Catbird Secure 

Cost Annual recurring fee based on number of physical hosts. Catbird Insight starts at $3,200; Catbird Secure starts at $8,000. Innovation Approach to security visualization and security automation. 

Greatest strength Ability to address very large virtual environments efficiently.

Catbird Security

This is another company that we have been watching carefully. They have an interesting heritage that gave them the foresight to envision a day when there would be a virtual infrastructure. They saw this back when the company was founded in 2000.

Their offering is split into two products: Insight, which allows grouping of assets and gives access to assets and flows; and Secure, which allows automated security policy, procurements, auditing and enforcement. This provides consistency across policies across platforms. The CatBird system does not require agents because it sits on the hypervisor. It deploys very lightweight security wrappers around assets to be protected.

Catbird is extremely customer-oriented. Much of the functionality of its suite came from customer input. For example, the company was challenged by customers to provide actionable intelligence based on changes from baseline, a technique CatBird calls baseline vs drift.

Then customers challenged the company to ingest third-party netflows allowing them to dial back the clock to see when a data breach occurred and to see impacts more completely.

The challenges continued and continue to shape CatBird's offerings. So far, among other requests, customers have asked for an executive dashboard, creation of a “bad IP” zone for more actionable intelligence, extending the model (the wrappers are seen as secure containers) to include physical and public cloud workload, and providing a single dashboard for an enterprise view of actionable intelligence. Customers usually start with Insight and then move on to Secure.

Although the suite currently uses an agentless model for in-fabric visibility, the future will likely be a hybrid of both agent and agentless.

Another innovation is CatBird's approach to visualization. This is the way it shows network data and is able to show and visualize massive volume in an application context. Also unique is the company's approach to security automation. In the virtual world an organization might have thousands of virtual machines. These machines come and go rapidly making the virtual landscape an ever-changing one. The organization cannot manage them manually. That's where the CatBird tools come to the rescue. Applying security policy uniformly and automatically in this environment is the challenge the company was formed to meet.

prestitial ad