When cloud-based accounting software vendor Xero moved to agile development practices, the company realized it needed new security tools to keep up with its faster pace. It was looking for automation, scalability and fast infrastructure deployment.
In releasing more than 800 new features within a single year, its practice was to recycle compute resources (hosts) for any change, ends up producing AWS EC2 instances with a typical lifespan of 24 to 48 hours. The company needed an automated security system covering the complete lifecycle of each instance, as well as a complete audit trail. In addition, it sought visibility into the company’s 45 different AWS accounts, hundreds of developers, thousands of servers, and the myriad changes taking place constantly.
Xero’s lead security architect Aaron McKeown also wanted DevOps teams to be able to use their chosen CI/CD tools and integration with others, such as the security information and event management (SIEM) system.
For all this, it chose CloudPassage.
The seven-year-old CloudPassage is focused on helping enterprise security and compliance teams keep up as enterprises move to the cloud, adopt DevOps and CI/CD practices, according to Carson Sweet, CloudPassage founder and CTO.
“Security needs to automate more. It needs to align with DevOps. It needs to move much faster,” he said.
Forrester Research projects that spending on global cloud security solutions will reach $3.5 billion by 2021 — an annual growth rate of 28 percent over the next five years.
The firm laid out a number of issues in a report on cloud workload security solutions, including:
- The need for automation and scale.
- The need for centralized visibility and control over a high volume of workloads.
- The need to match the speed of DevOps.
- The increasing complexity of compliance in the cloud, with the advent of serverless functions, eCommerce applications, IoT and more.
- The difficulties of security and compliance across multiple clouds.
Revamped Analytics Engine
San Francisco-based CloudPassage addresses these issues with a platform called Halo. It was built from the ground up specifically for hybrid environments, according to Sweet.
It provides security configuration monitoring, software vulnerability scanning, privileged access management, file integrity monitoring, automated log inspection, log-based intrusion detection, workload traffic discovery, host-based firewall orchestration and multi-factor network authentication.
It involves a micro-agent — only 2MB — installed on servers or workloads and an analytics engine built on AWS. It recently announced a rebuilt fully automated version of the analytics engine with auto-scaling and auto-healing services built using Mesos and Docker.
The Halo agent is deployed on each protected workload, including cloud instances, virtual machines or on-premises hardware. It delivers workload state and behavior data to the analytics engine every 60 seconds by default. The engine also issues additional data collection requests or security commands based on user-configured policies. It provides a central management portal and REST endpoints for integration with third-party tools such as Splunk and Sumo Logic, and single-sign-on identity providers such as OneLogin, Okta and others.
The company has about 100,000 systems deployed at a telco, Sweet said. They collect data from all these workloads, examine them, monitor them in near-real time.
“[The system] is making decisions about this firewall rule needs to be changed, an alert needs to go out about this unusual behavior, this particular system is configured badly, somebody’s trying to do something to this system,” he said.
As part of the application stack, the agent could be built into the virtual machine image — for Amazon, an AMI. You could use Puppet, Chef, Ansible, orchestration tools to install the agent as the system is being built; on Microsoft, could use MSI packet to install it. The company recently announced Slack integration and a Python SDK.
“We very specifically built this to run anywhere because security and compliance teams have no idea whether the next application is going to be built on Amazon, in the data center, or some little cloud provider in Switzerland,” Sweet said.
“The idea is that the security team needs to support anything that comes at them. So we’re completely agnostic to the underlying network environment, the underlying hypervisor, the cloud stack, the cloud provider. There are no dependencies whatsoever. It runs on Windows, on Linux, on Raspberry Pi — it doesn’t matter where it lives, where it runs. It just works. That portability is a key difference between us and other providers,” he said.
It also automates the ever-growing number of compliance requirements, he added.
Auditors typically look at one year’s worth of operations. If you have an application, they’ll come in and want to see the past 12 months of every system deployed, every code change that happened, every infrastructure configuration change, everyone that was given access or had access removed, he said.
“If you’re in an environment where you’re doing multiple changes a day, or even multiple changes a week, just collecting that data is a massive challenge. If you have not had automation in place to satisfy all the requirements, you’ve got an enormous problem … So collecting that data, analyzing that data, putting it in a format that makes it fast and easy to get those audits done, … that’s the other big problem that we solve.
In January, the company announced a way to ensure card numbers are not accidentally exposed in application log files and cascading exposures of credit card numbers in downstream reporting tools. It involves merely checking a box within Halo’s pre-built policies.
It also announced integration with AWS EC2 metadata service. It allows Halo customers to use the AWS EC2 instance identifier, as opposed to a hostname or IP address, to more easily identify assets needing further investigation or remediation and communicate those issues to the right staff.
Halo is a security-as-a-service billed by the hour. Its customers include General Electric, Informatica, Dollar Shave Club and railcar pooling firm TTX.
“We built the platform from the ground up for this type of environment because it’s really difficult to take a security tool meant for the data center and make it cloud-capable or cloud-savvy. We took the Big Data analytics and large-scale storage and processing capabilities and put that to work for the security and compliance users,” he said.
“Most security and compliance shops want that kind of capability, they just don’t have the expertise to run a Cassandra cluster or Elasticsearch cluster — all the stuff to make this work.
“Security and compliance teams want to be focused on threats, vulnerabilities and compliance, not spending their time installing hardware and software, and doing the math to figure out how many pieces of hardware they’re going to need. They need it to just be there, to just work, to be on demand, to scale and know that it works in any environment, and that’s what we built,” he said.