Scalable Cloud Workload Security: Part 4 of a Series

220
[ This article was originally published here ]

The “Forrester Wave™: Cloud Workload Security, Q4 2019” report provides an excellent overview of the security challenges posed by cloud computing and the solutions best poised to address cloud workload protection. In this fourth blog post of our series on the Forrester Wave, we explore two more criteria for which CloudPassage Halo received the highest scores possible, “Scalability: protected cloud instances” and “Scalability: protected containers.” We will share our thoughts on what scalable cloud workload security means, why it’s important, and why we believe CloudPassage received 5 out of 5 in these two criteria.

Enterprises want the speed and scalability offered by cloud infrastructure but often cite security and compliance as primary inhibitors of adoption. To eliminate these inhibitors, cloud workload security solutions require the same automatic, transparent scalability of the cloud environments they protect. Forrester punctuated this need for scalable cloud workload security by recommending that buyers seek solutions capable of “scalable deployment of protection to a large number of workloads without interruption.”


Scalability becomes a key requirement for security operations as instantly scalable cloud infrastructure becomes the norm for application hosting.  Cloud environments can scale up rapidly and dramatically, which can easily overwhelm security solutions not designed for these kinds of operations. Cloud security platforms must be able to scale in lockstep and instantaneously secure new assets, and they must do it with zero operational overhead.

Let’s take a look at what “Scalable Cloud Workload Security” means and why it’s important.

What Scalable Cloud Workload Security is and Why it is Important

Cloud computing has become the new normal for enterprises as the benefits of IaaS are realized and scaled. Higher agility, faster and easier deployment, and scalability are just a few of these benefits. As cloud computing environments rapidly scale up and down automatically, security must be equally as scalable and automated to keep up with the rate of change. This is an extreme requirement that cannot be fulfilled by legacy security tools and approaches built for a different time.

Security and compliance stakeholders must recognize two key dimensions of scalability that cloud security solutions must address as their enterprise clouds grow:

  • Short-term cloud scaling operations (e.g. cloudbursting, autoscaling, microservice orchestration) require security capabilities that can scale as rapidly as the servers, containers, and IaaS resources they protect.
  • Long-term cloud growth as more enterprise workloads migrate to IaaS require security capabilities that can grow without encountering technical, operational, or economic limitations.

Clearly there’s a need for scalable cloud workload security solutions that can automatically adjust their scale to keep pace with the underlying cloud infrastructure.

How Scalability Can Challenge Cloud Security and Compliance

One of the great advantages of cloud infrastructure is the ability to size infrastructure iteratively to address current and future needs. Projects can be deployed without large upfront costs or risky predictions, instead starting at limited scale and adding “just-in-time” resources as growth dictates. As enterprises see pockets of early success with cloud infrastructure, every business unit will want to reap the benefits.

The ability to create and scale nearly instantly brings many benefits but creates challenges for security and compliance. Here are some of the most common challenges that we’ve built Halo to address.

Legacy tools can’t keep up with technical cloud scale

The technical characteristics of cloud infrastructure are markedly different from traditional datacenter hosting environments. Legacy tools were built under a different set of assumptions and premises that leaves them unable to function well, if at all, in cloud computing environments. Many of these challenges are directly related to scale.

For example, a single data center server is often redeployed as multiple smaller server instances in IaaS, core to the concept of cloud computing’s horizontal scalability. This means there are more individual operating systems, configurations, etc. to manage. In many cases cloud server instances are often ephemeral and are recycled far more frequently than traditional bare-metal hosts or virtual machines, creating more overhead for security tools. In addition, IP addresses change often in cloud environments, creating ripple effects on network-centric security tools and often breaking policies and other IP-centric control constructs. These are all changes that extract more processing and compute demands. Bottom line, there’s no place in the virtualized world of cloud computing for the hardware-based acceleration that traditional security tools depended upon to scale.

While these and other technical scalability factors cause legacy security tools to fail in cloud environments, they drive the successful cloud workload protection programs that are built on cloud-purposed solutions designed to address them.

Cloud security operations cannot scale without automation

There are also significant operational differences between legacy environments and cloud computing that drive the need for scalable cloud workload security. DevOps and continuous delivery, which go hand-in-hand with cloud infrastructure, can create serious security and compliance operational disruptions.

  • Cloud infrastructure is software-defined and instantly scalable, making the volume and speed of changes orders of magnitude greater than traditional environments.
  • Automation toolchains that implement continuous deployment amplify this new level of operational speed and scale.
  • DevOps teams are now often very autonomous and embedded within business units, meaning traditionally regimented operational processes are often eschewed.
  • The rapidly expanding universe of cloud services also drives operational challenges—the sheer number of diverse technologies that a central security organization must address is staggering.
  • Instrumenting cloud security components requires direct integration into infrastructure templates and build-time automation before security controls can even be deployed.

Automation is the lynchpin to successful execution in these diverse, distributed, and dynamic cloud environments.

Securing these environments also requires deep automation, as failure to adapt security operations to these new realities results in a dangerous inability to keep up. Success in these new environments requires cloud workload security platforms with the deep automation capabilities needed to enable operational scale.

Traditional collaboration doesn’t scale for distributed DevOps organizations

Scalability problems can come from surprising sources—even organizational shifts. The structured, one-to-one cooperation between centralized security and operations teams is gone, and the new one-to-many model can create massive scalability strain if not handled properly.

Traditional organizations were established with a central IT organization at their core with subunits specializing in development, hosting operations, security, end-user computing, and so on. This centralized structure often resulted in well-defined, disciplined operations enforced by central IT executive management, with its rules of engagement and associated expectations well-understood.

The advent of DevOps, supplanted this regimented machinery with many small DevOps teams, very often reporting into distributed business units with their own priorities. This results in central security organizations being forced to cast a new model for communication and collaboration without the luxury of common executive authority. The independent nature of DevOps means that every team can be dramatically different. That may require InfoSec to have an individual approach for successfully interacting with each one of them.

Gone are the days of sending emails, PDFs, and spreadsheets to system owners. For scalable cloud workload security, DevOps teams want collaboration to happen in-line with their existing tools and processes. Slow-moving legacy approaches to collaboration impact their operational speed, something that’s tolerated at best and rejected at worst. Cloud security platforms must be designed with this reality in mind and provide methods for InfoSec to deliver automatable data to DevOps teams within their existing tools and workflows.

With the cloud security importance and challenges in mind, we’ll turn to sharing our thoughts on Forrester’s assessment of the CloudPassage Halo platform and our scalable cloud workload security.

Why We Believe CloudPassage Received 5 out of 5 in Forrester’s Criteria for Cloud Instance and Container Security Scalability

CloudPassage was purpose-built in 2010 to automate security and compliance management for servers across public and hybrid cloud environments. Since that time, CloudPassage has invested heavily in the platform’s evolution to address new cloud technologies and their security needs.

Halo now addresses security for server-based, containerized, and IaaS/PaaS services across any mix of public, private, hybrid, and multi-cloud deployments.

Halo customer deployments range in scale from a single cloud stack with a few assets to thousands of development and production stacks with millions of assets. Our largest scaling event involved 40,000 servers per hour. Halo’s transparent scalability and comprehensive capabilities give you the ability to address rapidly emerging cloud security needs and prevent security from impeding progress. Halo is blazing fast, and its architecture is designed for transparent scalability that makes temporary scale-up operations automatic and long-term growth simple.

The Halo platform’s architecture combines auto-scaling microservices, batch processing, streaming data analytics, SQL and NoSQL data stores, and cloud object storage, and is hosted 100% in public IaaS.

Security analytics and orchestration environment

The core of the Halo platform is the Halo cloud, a security analytics and orchestration environment that performs security analysis, control orchestration, and compliance monitoring for millions of cloud assets simultaneously. The Halo cloud receives continuous telemetry, state, and event data from lightweight microagents and API connectors deployed across the user’s cloud environments.

Autoscaling microservices

Telemetry and scan payloads are processed by highly efficient, purpose-built, autoscaling microservices. Based on user configurations, Halo’s security microservices take actions such as generating scan findings, analyzing cloud security events, executing REST API commands, or triggering other security automation microservices to generate and deliver intelligence, orchestrate distributed control and policy updates, perform situationally-specific interrogation of assets cloud-wide, and more.

Patented command and control model

Halo monitors millions of cloud resources simultaneously using this patented “command-and-control” model. Halo automates many recurring and ad-hoc security operational tasks.

Automated deployment and workflows are required for scalable cloud workload security

Halo’s comprehensive automation builds security into the continuous deployment pipelines and automates workflows between security and development—critical for scalable cloud workload security.

Halo microagents and API connectors are designed for quick and easy deployment using existing automation tools. Halo microagents transparently support server autoscaling (a.k.a. “cloudbursting”), cloning, and migration between environments, and thus can support scalable cloud workload security.

Integration with existing automation tools is accomplished through the Halo REST API, recognized as the industry’s most complete fully bi-directional API. Through the API, Halo is able to fully integrate with leading infrastructure automation tools for easy implementation and automated operation.

The API can use data from Halo to open a ticket in ticketing tools such as Jira or ServiceNow, export data to common SIEMs, and create an Ansible playbook to remediate vulnerable packages.

This allows teams to implement frictionless security by enabling security, IT, and DevOps to integrate and automate security into DevOps processes and continuous deployment pipelines while fostering collaboration between InfoSec and development or DevOps.

Automatic application of policy controls

Another important aspect of scalable cloud workload security is how the security controls themselves support scalability. Halo unifies a broad range of security controls across servers, containers, and public cloud infrastructure. Halo provides more than 150 security policies with thousands of rules to cover various asset types, operating systems, common applications, and security best practices. These policies are assigned to groups, and when new assets within that group come online, they are automatically assessed based on the assigned policies, with no manual intervention.

Autoscaling and cloud-bursting support

Halo automatically deploys, configures, inventories, interrogates, assesses, and initiates monitoring of new servers and containers without user intervention, for server cloning and autoscaling. Halo:

  • Handles cloud-bursting and autoscaling events by automatically detecting and instrumenting, monitoring, and protecting new cloud assets as they come online
  • Retains information on ephemeral workloads as you scale back down for assets that were not long-lived

Scalable licensing model

Halo offers a subscription model that aligns with the subscription models of cloud security providers. The Halo licensing model is designed for dynamic cloud environments so that you pay for only what you need; it is:

  • Consumption-based with complete user flexibility in license allocation
  • Based on cloud assets protected to make budget forecasting predictable
  • On-demand when needed, with license bursting to address temporary infrastructure scale-up events transparently

Scalable Cloud Workload Security Conclusion

In summary, we believe Halo received the highest scores possible in both the “Scalability: protected cloud instances” and “Scalability: protected containers” criteria in the “Forrester Wave™: Cloud Workload Security, Q4 2019″ report because the capabilities described above, when combined into one unified platform, support the following common characteristics of cloud adoption.

Organic application growth

The cloud infrastructure for a new application typically starts small and grows, often very quickly. With Halo:

  • DevOps teams can acquire only the infrastructure they need to get started, then grow their environment as application demand mounts.
  • As asset count grows and new application functionality is developed and deployed, every asset is automatically secured.
  • Security and compliance can grow along with organic application growth, easily and without disruption.

Viral cloud adoption

When larger enterprises see initial success with cloud computing, adoption will go viral as more business units will want to migrate or build greenfield applications to reap the benefits of the cloud. With Halo:

  • Security teams will not have to worry about the number of cloud environments or autonomous DevOps teams because Halo can automate instrumenting them for security.
  • Security teams can handle dramatic environment growth and organizational shift.

Autoscaling applications

One of the core benefits of cloud-based application infrastructure is the ability for application components to autoscale, but with autoscaling, the number of infrastructure assets in an application environment can multiply many times over. With Halo:

  • Autoscaling won’t require any manual effort to scale security tools in concert with the underlying environment.
  • Securing all assets associated with autoscaling events is transparent and automated.

To learn more about how Halo’s transparently scalable cloud workload security can help you secure your cloud infrastructure and assets:

Read our previous blogs on criteria for which CloudPassage received the highest scores possible in the “Forrester Wave™: Cloud Workload Security, Q4 2019” report.

Subscribe to our Blog in the upper right corner of this page, so you don’t miss the next one on Centralized Agent Framework Plans.