1 WHITE PAPER Implementing Software- Defined Security with CloudPassage Halo Introduction... 2 Implementing Software-Defined Security w/cloudpassage Halo... 3 Abstraction... 3 Automation... 4 Orchestration... 5 Automatic Scalability... 6 API Enablement... 7 Conclusion... 8
2 Introduction Software-defined security (SDSec) is an architectural approach to security and compliance that implements controls in a manner that abstracts them from physically-oriented elements such as topology, hardware, or physical location. In addition to control abstraction, SDSec implements control automation and orchestration of multiple controls into higher-order security services. SDSec is closely tied to API enablement, especially where orchestration is involved. SDSec enables security and compliance functions to operate harmoniously with software-defined infrastructure such as private clouds, public IaaS, hybrid and multi-cloud environments, virtualized data centers, and software-defined data centers (SDDCs). Fundamental to each of these models is the decoupling of application and data hosting from underlying physical constructs. Another shared factor is that configuration of infrastructure environments is achieved through software, without direct interaction with the underlying physical infrastructure. The architectural principals of SDSec align security and compliance delivery to the technical and operational dynamics of software-defined and virtualized infrastructure. This paper summarizes the five architectural principles of SDSec and the ways in which CloudPassage has implemented them by building the Halo SDSec platform for cloud infrastructure. For a more detailed discussion of SDSec architectural principals, please review What CSOs Need To Know About Software-Defined Security at cloudpassage.com. Gartner discusses the need for software-defined security in its report, What Is the Value of a Software-Defined Data Center? * Taxonomy of SDx *Source: MacDonald, Neil et al. What Is the Value of a Software-Defined Data Center? Gartner, Sept. 10,
3 Implementing Software-Defined Security with CloudPassage Halo The primary architectural principles of SDSec are abstraction, automation, orchestration, automatic scalability, and API enablement. An infrastructure security solution that fulfills these principles enables protection and compliance controls to operate effectively in virtualized, software-defined infrastructure environments. The following sections discuss each of these principals, how Halo enables their implementation, and the benefits gained. Abstraction The SDSec principle of security abstraction expresses that security and compliance capabilities must perform without dependencies on underlying physical constructs. Security abstraction means all controls must be completely non-dependent on specific hardware, topologies, or physical location of the environment being protected. A true software-defined security strategy should also be independent of any specific infrastructure platform, vendor, or service provider. How Halo Implements Security Abstraction By virtue of its being a cloud-based SaaS offering, Halo is abstracted from hardware and lower levels of software. It is not an appliance and has no dependencies on physical network topology or specific hardware configurations. Halo also operates completely independently of underlying virtualization/cloud platform, hardware vendor, or infrastructure service provider. Halo functions at the virtual machine level. This means it can protect public cloud workloads, private cloud servers, virtualized guest instances, and even servers on physical host machines. Any system that can run a Halo agent and communicate with a Halo security analytics engine (directly or via HTTPS proxy) can benefit from Halo. When operating in a cloud environment, Halo can make use of lower-level environmental factors (such as server geolocation as used in a configuration check), but it does not rely on any specific values at that level in order to function correctly. Halo can apply needed security controls and maintain needed visibility via the Halo agent. Halo associates security policies and other settings with logical workload groups, which are abstractions of multiple individual server configurations. Because it is possible to conceive of and manipulate the configuration of all workloads at the group level, Halo can manage the configurations of thousands of servers as if they were one. Benefits of Security Abstraction Most large enterprises do or will soon support a mix of private, public, and hybrid infrastructure delivery in addition to virtualized and bare-metal systems. Security capabilities that operate seamlessly across disparate environments are critical to ensuring consistent end effective protection and compliance. The Halo SDSec platform enables runs-everywhere infrastructure security by instrumenting visibility and enforcement controls inside cloud infrastructure workloads, regardless of location, platform, or service provider. Halo s independent operating capabilities prevent vendor lock-in and ensure that future needs can be met quickly and effectively. Halo operates simultaneously across any private cloud, public IaaS, or hybrid/multi-cloud mix. Halo can also automate security and compliance for traditional virtualized and even bare-metal environments. No other solution can achieve this level of consistent, effective, and efficient operation. 3
4 Halo s implementation of abstracted cloud infrastructure security means that controls can be deployed anywhere, delivering adaptability that was not previously available. Such adaptability is an absolute must-have to address security in highly distributed, dynamic, and diverse cloud infrastructure environments. Automation The SDSec principle of security automation expresses that security and compliance capabilities should minimize human intervention in deployment, configuration, ongoing operation, and de-provisioning. Security automation means that any control (e.g., firewall policies, configuration vulnerability scans, intrusion detection, multi-factor authentication) can be deployed and managed without manual intervention. The most desirable is full-lifecycle automation, in which policies are set once and tied to some context, after which underlying controls are 100% automated at each stage of the control s lifecycle from deployment to de-provisioning. How Halo Implements Security Automation Halo uses several strategies to maximize control automation and reduce human overhead. First, Halo embeds security and compliance capabilities directly into cloud infrastructure environments. Including the Halo agent in workload images, orchestration scripts, and startup commands ensures that controls are automatically deployed to each newly created workload instance, and that the Halo security analytics engine can orchestrate the most up-to-date policies for each workload. Halo s continuous cycle of workload monitoring and analytics automates a very broad set of tasks related to layered access control, visibility and intelligence, exposure management, intrusion prevention, and data protection. Once created and assigned, Halo ensures that user policies automatically control the details of what is examined and what is considered a significant security issue. Policies are assigned automatically, and automated control configurations are kept synchronized based on changes to cloud infrastructure. Automatic alerts are sent on designated event occurrences, and integration with third party tools allows Halo intelligence and data to be automatically delivered to other solutions. Halo automatically pushes updated firewall and other security enforcement policies to all appropriate servers as soon as the analytics engine identifies a need to do so. Policies across all infrastructure environments are typically synchronized within a 60 second window. Achieving such a level of consistency and speed across such a wide range of infrastructure controls would be untenable without Halo s automation capabilities. Security, compliance, and threat monitoring are also automated and continuous. Without human intervention, Halo continually scans your server fleet, reports results, and automatically sends alerts when suspicious activity is detected. Manual control of these activities of the agents or analytics engine is not required; it all happens automatically. The Halo REST API supports extensive automation of many aspects of Halo functionality. In addition to providing automation among Halo components and reporting tools, Halo s API capabilities enable third-party tools to become actors in larger automation workflows involving your cloud infrastructure. See the API Enablement section for more details. Benefits of Security Automation Security automation may be the most important principle for CSOs to consider in order to keep pace with infrastructure automation in the short term, and to provide strategic options for sustainable, flexible capabilities in the long term. 4
5 Halo gives enterprises the ability to keep up with infrastructure scaling and high rates of change associated with automated infrastructure and application management. It improves the accuracy, consistency, and effectiveness of security and compliance operations, while eliminating the potential for human error. Halo offers full-lifecycle control automation, yielding operational efficiency for both initial deployment and ongoing maintenance. For example, Halo automatically associates policies with logical workload contexts (e.g. workload role, geolocation, regulatory scope), then automates control maintenance based on policy or environmental changes 100% automated, from control deployment to de-provisioning. Halo also automates the collection of audit and operational data, even for ephemeral workloads that are only operational for short periods of time. Even though short-lived, these resources are still in scope for regulatory inspection, even if not still running at audit time. Halo ensures that the compliance of these resources is fully accounted for in any audit. The same principal applies to Halo s data collection for forensics and incident reconstruction purposes. The Halo REST API supports instrumentation across otherwise disparate technologies, further extending automation benefits. Because security management with Halo is programmable, more rapid and targeted responses to security issues can be built in. Orchestration The SDSec principle of security orchestration expresses that business security requirements are satisfied by dynamic, automated, centrally managed composition of individual controls into integrated, holistic security services. Security orchestration maintains alignment between security requirements, changing application dynamics, and control implementation through automated workflows, provisioning, and change management. Where appropriate, human-controlled approval or decision gates can be implemented to ensure nuanced decisions are handled correctly. A security orchestration platform centrally manages the composition of individual control components (e.g., network access control, IDS, vulnerability management) into more complex, service-oriented security services (e.g., PCI security service for web applications). As a result, security orchestration delivers higher order functions than simple control automation. Orchestration also enables administrative management of composed security service needs such as aggregated licensing, usage reporting, and deployment coverage reporting. How Halo Implements Security Orchestration Halo consolidates hundreds of individual controls into a single modular platform to provide central, automated composition of higher-level security and compliance services. This orchestration is achieved by associating sets of related control policies with logical resource groups. Halo s fully automated control deployment and management provides assurance that controls are applied consistently and accurately, at any scale and in any infrastructure environment. For example, achieving PCI compliance for an application might require specific controls around network access control, privileged access authentication, application configurations, integrity monitoring, etc. These policies might need to be applied to five different applications one in a traditional data center, one in a private OpenStack-based cloud, two in a private VMware-based cloud, and one in Amazon Web Services. Without orchestration, separate solutions for each control requirement must be deployed and managed ongoing. The complexity increases when solutions will work in some environments and not others for example, separate intrusion detection solutions for AWS and the traditional data center. 5
6 Halo s policy orchestration ensures that controls are configured once and are then deployable anywhere. In the PCI example above, Halo would implement an orchestrated PCI compliance service in a manner similar to this: PCI policies are defined once for each control A logical group would be created in Halo for each application The PCI control policies are associated with each group Halo agents automatically deploy and manage all controls according to the PCI policy, regardless of their location in the datacenter, OpenStack, VMware, or AWS environments Halo s orchestration capabilities allow administrators to define business and technical policy contexts (e.g., application role, geography, data classification, regulatory scope) and tie multiple fully orchestrated controls to those contexts. Halo also provides a common policy framework and management environment for all controls supported by the Halo platform. The patented architecture that Halo is built upon facilitates enterprise-wide orchestration because it centrally coordinates policies for workloads anywhere, regardless of cloud platform, provider, or physical location. Benefits of Security Orchestration Halo enables security and compliance capabilities that operate in harmony with an increasingly service-oriented technology world, where infrastructure and application delivery are orchestrated services even in private data centers. Halo leverages the same proven principals used by infrastructure orchestration tools to provide security teams with the same agility, flexibility, and speed. Halo s security orchestration reduces the time, effort, and potential for error associated with deploying multiple control systems across multiple application or infrastructure environments. It streamlines control deployment, integration, and change management, thus preventing security from becoming a speed bump in an otherwise seamlessly orchestrated environment. Halo can rapidly create and maintain numerous security environments that are aligned with higher-level business needs, while keeping pace with automated deployment, migration, and reconfiguration needs of the underlying application workloads. The orchestration functionality that Halo delivers also reduces the administrative complexities of security resource management in an on-demand, usage-based environment for example, how to deal with licensing of ephemeral workloads and how to bill back security licensing to business units. Halo maintains all data needed by orchestration systems to support usage reporting, accounting, and bill-back as needed. Automatic Scalability The SDSec principle of automatic scalability expresses that security and compliance control capacity (e.g., number of scans completed or number of systems monitored) must scale up and down dynamically, on demand, and without human intervention. Security and compliance controls need to be automatically scalable to keep up with elastic compute models. This means that controls must be deployed directly into the application scaling mechanism (e.g., building controls directly into auto-scalable virtual machines) or must have the ability to scale based on application scaling triggers (e.g., detection of auto-scaling triggers deployment of more virtual appliances). Given that an arbitrary number of security controls may potentially be needed across an arbitrary number of diverse application environments, the SDSec principles of orchestration and automation are often leveraged to achieve automatic scalability. Cloud-oriented application hosting models that support instant deployment and dynamic capacity will demand security that can automatically scale. Automatic scalability as a feature of an on-demand, orchestrated security service is an optimal strategy for implementing softwaredefined security. 6
7 How Halo Implements Automatically Scalable Security Halo is purpose-built to solve the problem of scalable security. Because it applies security to individual workloads, and each workload has its own Halo agent, security scales horizontally along with applications. As applications scale up, the additional demand for compute power is absorbed by the Halo security analytics engine, which is built on scalable, elastic infrastructure. In times of higher demand, the security analytics engine can add the capacity needed to handle growing needs. Because security is built into each instantiated workload by the time it comes on line, fast scale-ups (as in auto-scaling scenarios) occurs without gaps in security or compliance coverage for any new workloads. And because each agent contacts the engine every 60 seconds, updates to security policies will reach the entire server fleet, including newly instantiated servers, very quickly. The Halo portal allows you to conveniently monitor and manage a server fleet of any scale. Furthermore, if and when you scale back your fleet, the historical data relating to the expanded set of servers is retained for your auditing and research purposes, although you are no longer charged for security applied to any of the decommissioned servers. Benefits of Automatically Scalable Security Enterprises now leverage elastic application hosting models as a matter of regular practice. Private cloud and public IaaS support almost instant scalability to address variable compute needs on-demand, saving costs in unused high-watermark capacity and preventing large hardware capital expenditures at the outset of a new project. Halo can automatically scale-up or scale-back without human intervention, license-recovery processes or capacity planning exercises. These auto-scaling capabilities allow security and compliance controls to keep up with the speed and range of variable application hosting infrastructure. Halo ensures that controls are deployed directly into the application scaling mechanism (e.g., building controls directly into auto-scalable hosting environments). These capabilities are critical, given that an arbitrary number of security controls may potentially be needed across an arbitrary number of diverse application environments at a moment s notice. Halo makes infrastructure security operations agile, enabling support any enterprise use case for on-demand cloud infrastructure scaling. API Enablement The SDSec principle of API enablement expresses that security monitoring and enforcement control functions should be fully accessible via open application programming interfaces (APIs). Within an SDSec environment, APIs typically exist at the individual control level (e.g., changing firewall management rules) and at the orchestration platform level (e.g., scaling security services for an application that is auto-scaling). These APIs also allow existing systems, even those not part of an orchestrated SDSec strategy, to be extended through connection and integration with the SDSec environment. A truly open API will offer developers secure but unfettered access to complete, well-documented interfaces that enable management of any function and access to any data. Besides making automation and orchestration possible, API enablement of security and compliance allows unique security value to be derived from security services. It can also offer a measure of future-proofing by providing flexibility and optionality as new demands emerge. How Halo Implements API-Enabled Security The Halo SDSec platform was built from the onset as a completely REST API enabled set of services. Essentially any function that can be performed with Halo can be achieved via REST API endpoints, making the platform s many security dimensions programmable. 7
8 You can use the API to export events to analytic tools, manipulate policies, conduct scans, generate reports, and much more. The capabilities of the API are constantly being enhanced and expanded along with those of the Halo platform. The API also follows best security practices, starting with a token-based authentication system. API clients must authenticate with an ID and secret key, and receive a bearer token that can be used to fetch resources for a limited period until a new token is required. Secret keys and IDs can only be obtained through the user interface and all views of the secret portion of the key are logged. Users can restrict the IP addresses from which an API key can be used, and keys can be afforded read-only or read/write permissions. Benefits of Halo s API-Enabled Security Halo s open REST API capabilities enable broad automation, orchestration, and extension of security functionality within Halo itself, and across third-party products and solutions. The ability for Halo to programmatically interact with other solutions means extracting even more automation, orchestration, and data-sharing value from the overall security environments. An organization can derive unique security value from the automated, customized, programmable and actionable processes that it conceives and develops using the API. Over time, the capabilities of the Halo API will provide flexibility and optionality as new security demands emerge. Of the five architecture principals of SDSec, comprehensive enablement of API capabilities is often considered the keystone that enables the other components to cooperate successfully. Conclusion The five principles of software-defined security abstraction, automation, orchestration, automatic scalability, and API enablement can go far to ensure the success of security and compliance support for enterprise transformation to cloud-oriented technology delivery. The ways in which CloudPassage has implemented those principles in the Halo SDSec platform abstracted capabilities, deep automation, broad orchestration, auto-scalability, and rich API enablement demonstrates that Halo has been designed from the beginning to be the best possible platform for providing security automation in today s diverse infrastructure environments. About CloudPassage CloudPassage Halo is the world s leading agile security platform that empowers our customers to take full advantage of cloud infrastructure with the confidence that their critical business assets are protected. Halo delivers a comprehensive set of continuous security and compliance functions right where it counts at the workload. Our platform orchestrates security on-demand, at any scale and works in any cloud or virtual infrastructure (private, public, hybrid or virtual data center). Leading enterprises like Citrix, Salesforce.com and Adobe use CloudPassage today to enhance their security and compliance posture, while at the same time enabling business agility CloudPassage. All rights reserved. CloudPassage and Halo are registered trademarks of CloudPassage, Inc. WP_IMP_SDSEC_2_15 Learn More Visit or call to find out more about how CloudPassage can help your organization address security and compliance.