CloudPassage & Why Guest-Based Footprints Matter Even More For Cloud Security

VM (operating system)

Image via Wikipedia

Every day for the last week or so after their launch, I’ve been asked left and right about whether I’d spoken to CloudPassage and what my opinion was of their offering.  In full disclosure, I spoke with them when they were in stealth almost a year ago and offered some guidance as well as the day before their launch last week.

Disappointing as it may be to some, this post isn’t really about my opinion of CloudPassage directly; it is, however, the reaffirmation of the deployment & delivery models for the security solution that CloudPassage has employed.  I’ll let you connect the dots…

Specifically, in public IaaS clouds where homogeneity of packaging, standardization of images and uniformity of configuration enables scale, security has lagged.  This is mostly due to the fact that for a variety of reasons, security itself does not scale (well.)

In an environment where the underlying platform cannot be counted upon to provide “hooks” to integrate security capabilities in at the “network” level, all that’s left is what lies inside the VM packaging:

  1. Harden and protect the operating system [and thus the stuff atop it,]
  2. Write secure applications and
  3. Enforce strict, policy-driven information-centric security.

My last presentation, “Cloudinomicon: Idempotent Infrastructure, Building Survivable Systems and Bringing Sexy Back to Information Centricity” addressed these very points. [This one is a version I delivered at the University of Michigan Security Summit]

If we focus on the first item in that list, you’ll notice that generally to effect policy in the guest, you must have a footprint on said guest — however thin — to provide the hooks that are needed to either directly effect policy or redirect back to some engine that offloads this functionality.  There’s a bit of marketing fluff associated with using the word “agentless” in many applications of this methodology today, but at some point, the endpoint needs some sort of “agent” to play*

So that’s where we are today.  The abstraction offered by virtualized public IaaS cloud platforms is pushing us back to the guest-centric-based models of yesteryear.

This will bring challenges with scale, management, efficacy, policy convergence between physical and virtual and the overall API-driven telemetry driven by true cloud solutions.

You can read more about this in some of my other posts on the topic:

Finally, since I used them for eyeballs, please do take a look at CloudPassage — their first (free) offerings are based upon leveraging small footprint Linux agents and a cloud-based SaaS “grid” to provide vulnerability management, and firewall/zoning in public cloud environments.

/Hoff

* There are exceptions to this rule depending upon *what* you’re trying to do, such as anti-malware offload via a hypervisor API, but this is not generally available to date in public cloud.  This will, I hope, one day soon change.

Enhanced by Zemanta
  1. September 27th, 2011 at 09:37 | #1

    Great beat ! I would like to apprentice while you amend your web site, how could i subscribe for a blog website? The account helped me a acceptable deal. I had been tiny bit acquainted of this your broadcast provided bright clear idea

  2. October 25th, 2011 at 03:20 | #2

    Good point saying that guest-based footprints matter even more for cloud security. Will security get “better” as we move forward with virtualization and cloud computing. Certainly. Perhaps because of it, perhaps in spite of it.

  3. January 13th, 2012 at 10:48 | #3

    That is the suitable blog for anyone who wants to search out out about this topic. You realize so much its almost exhausting to argue with you (not that I really would want…HaHa). You definitely put a brand new spin on a topic thats been written about for years. Great stuff, just nice!

  4. January 19th, 2012 at 07:02 | #4

    After study a number of of the blog posts in your website now, and I truly like your means of blogging. I bookmarked it to my bookmark web site list and shall be checking again soon. Pls take a look at my website online as nicely and let me know what you think.

  1. February 1st, 2011 at 14:20 | #1
  2. March 15th, 2011 at 08:53 | #2
  3. September 12th, 2011 at 13:33 | #3