A look at CloudPassage Halo and Amazon Inspector

This post was originally published here by deepak munjal.

As much as weā€™d enjoy not facing competition, the fact remains that other companies endeavor to provide some of the same services we do. Letā€™s just say that some of these companies are small, some of them are large, and one them is Amazon.com.

Amazon is a major partner that we think very highly of yet provides a tool that offers some features that are similar to what we provide withĀ CloudPassage Halo. This is the kind of weird scenario that only exists in the corporate world. Imagine ifĀ Rob GronkowskiĀ was not onlyĀ Tom Bradyā€™s teammate but also 10% of the time suddenly turned around and tried to tackle him. As entertaining as that might be, Iā€™m not entirely sure they could make it work.

Halo doesĀ make it work, however, which is why weā€™d like to take a closer look at a product Amazon released to the public last year: AWS Inspector.

Inspector is Amazonā€™s stab at an automated workload security service. And similar to just about everything Amazon does ā€” if you havenā€™t seen the Amazon-produced and Best Picture nominated filmĀ Manchester By The SeaĀ yet, you definitely should ā€” itā€™s good!

Inspectorā€™s service provides SVA and CSM information via an agent-based platform, with pricing based on consumption. It includes deep APIs and is built for automation of agent deployment and scanning.

Sound familiar? It should, because it is familiar. This is very much like the service Halo provides.

Despite these core similarities, the services are not the same. There are some key differences that are very much worth noting:

Inspector is AWS only, while Halo is multicloud and works with AWS, Microsoft Azure, Rackspace, OpenStack, and wherever else you happen to be: bare metal to private cloud to IaaS to the moon (assuming you have servers there). Maybe youā€™re using AWS for some things and your own servers for others? Weā€™ve got it handled.

Halo isnā€™t only more far reaching in where it works, itā€™s also more comprehensive in how it does that work. Inspector does not include Server Account Management, nor does it provide Traffic Discovery, Firewall Orchestration, multi-factor network authentication, File Integrity Monitoring, and Log-based Intrusion Detection, security functions found withinĀ Halo SegmentĀ andĀ Halo Detect. Forrester and Gartner agree these are very important for cloud-based workloads.

All of this work is easily tracked too, as Halo portal provides a rich overview of security posture across all workloads, with both a scannable top-level overview and deep dive capability. Inspector doesnā€™t include this kind of portal.

Halo content templates are also richer with customizable, platform-specific CIS Benchmarks and DISA STIGs. On the other side, Inspector does not run a full software scan. Instead, the packages that Inspector checks for have to be specified in the rules package. They basically require an AWS defined SVA policy that cannot be customized.

Itā€™s not all, ā€œlook at how awesome Halo is!ā€ though. Inspector does include some features that Halo doesnā€™t, like encryption, DDOS mitigation, identity and access control. Itā€™s appropriate in some scenarios to use both Inspector and Halo side-by-side. The products can be very complementary.

This is all to say that Inspector is a quality product, Halo just happens to be a deeper and more mature one. And youā€™d hope so considering weā€™ve been at it for over seven years now.

Though Iā€™mĀ a little disappointed to say so, itā€™s very unlikely weā€™ll ever make an Oscar-nominated film or win a bunch of Emmys. What we will always be doing though, is improving and expanding our core service. Weā€™re entirely focused on server and cloud workload security, and we think thatā€™s a good thing.

Photo:issa

Ad

No posts to display