Startup CloudPassage Tackles Cloud Server Security With New Services

Data privacy, security and reliability are the biggest concerns surrounding cloud computing, according to a recent survey of IT executives conducted by the non-profit IT Governance Institute (ITGI). It's no surprise then that a number of IT vendors are scrambling to address those concerns. Take CloudPassage, for example. The startup recently unveiled its Halo SVM (Server Vulnerability Management) and Halo Firewall, server security and compliance services that the company says are built specifically for elastic clouds.

CloudPassage, which came out of stealth mode in late January, was started in October 2009 by Carson Sweet, Talli Somekh and Vitaliy Geraymovych--each of whom has years of technology and IT security experience, including the development of early virtualization security solutions. CloudPassage's new services are aimed at providing security to cloud servers that are supposed to be elastic and flexible. But current security limitations can force companies to curtail that elasticity or spend lots of time performing manual tasks.

According to Sweet, existing security solutions aren't elastic because vulnerability management and firewall configurations have to be individually managed on every new cloned or bursted server. Moreover, organizations aren't able to create perimeters or demilitarized zones (DMZs) to protect their cloud servers because in public cloud infrastructures, such as Amazon EC2, they don't own or control the networks.

Companies can't put security hardware in those clouds, Sweet says. "Also in those environments, you don't even have the power to manage IP addresses." IP addresses are typically assigned, and if a company wants to use a security product to identify and protect a server, the assigned IP addresses have to be manually configured in the security tools. If you have server that moves, which happens all the time, the IP address will change, and so any configuration you already had will break. Then you'll have to go in and and manually reconfigure."

CloudPassage's solution attempts to overcome these challenges by automatically securing cloud servers when they burst or are cloned. Once security is set up on one server, all copies of that server that are created later will automatically adopt those security controls.Judith Hurwitz, president and CEO of Hurwitz & Associates, a strategy consulting, market research and analyst firm, says she is impressed with CloudPassage. "It appears that they are focused on some difficult problems with cloud security. Cloud security is complicated because of issues related to how and what individuals and groups can access, based on roles and authorization. In addition, you have compliance issues related to geographies and data location."

CloudPassage's core architecture, on which the Halo SVM and Halo Firewall products are built, includes two components: Halo Daemon and Halo Grid. Halo Daemon is a lightweight (under 2Mbyte) software component that runs as a service on each cloud server and monitors server security factors such as IP addressing, installed software, running processes and open network ports. Halo Grid is an analytics tool that evaluates data collected by the Halo Daemon and, using business rules and policies, makes decisions based on the data to create alerts and reports or even update security parameters.

Currently, CloudPassages has built 18 different templates for Linux servers (expect support for Windows servers later this year) and continues to build more templates. Customers can create policies, as well. Communication between the Dameons and Grid is encrypted.

Halo SVM assesses exposures on cloud servers; it can scan and assess server configurations continuously. Halo Firewall controls server attack surfaces by centralizing and automating host-based firewall management and lets customers manage their firewall policies via a graphical Web front end.

It also automatically updates individual host-based firewall configurations whenever cloud servers are added or removed--including server cloning or cloudbursting operations--with zero intervention by system administrators, the company says, adding that it also addresses the issues of dynamic public cloud IP addressing,CloudPassage's new services are now available free of charge. Organizations can download the products to secure an unlimited number of cloud services. CloudPassage will add products and advanced features as paid upgrades. Some of those advanced features are expected to be account management functions, intrusion detection and prevention for each server, and compliance capabilities for data stored in the cloud.

See more on this topic by subscribing to Network Computing Pro Reports Cloud Computing: Six Ways to Fail (subscription required).