Thursday, January 27, 2011

Early Vibe: CloudPassage

CloudPassage, a Bay area startup, has just exited stealth this week with a proposition to simplify security for cloud-based servers. The problem, according to the vendor, is that vulnerability management and firewall policy enforcement both suffer as application servers are dynamically launched and shuffled between data centers. For instance, the ability for enteprises to reach their applications in the cloud to frequently assess and manage server vulnerabilities or to enforce server-based security policies both suffer.

The secret sauce of the CloudPassage SaaS technology features a cloud-based analytic grid that continuously correlates server configurations with vulnerability information and customer security policies - offloading individual servers from that burden. CloudPassage initially offers two products, Halo SVM and Halo Firewall:

Halo SVM (Server Vulnerability Management), depends on a host-based agent to initiate communications with the CloudPassage grid. The agent profiles the Linux or Unix server, and uploads that information to the CloudPassage grid for analysis. The end benefit is a vulnerability management procedure that transparently evaluates applications for vulnerabilities and configuration drift with a higher frequency than scanning options can reasonably achieve.

Halo Firewall is a host based firewall that is designed to travel with cloud-based servers to enforce security policies. Similar to SVM, the Firewall product connects to the CloudPassage grid to download the most recent set of policies for the server.

The Ogren Group believes that CloudPassage is on the right track. Enterprise applications are evolving from customer premise-based services to hybrid environments and public clouds, yet the evolution of static security perimeters and scheduled vulnerability management isn’t evolving at the same pace. Placing the burden of analysis in the cloud as a SaaS allows CloudPassage to avoid distribution overhead to servers while assessing vulnerability information, server configurations, and customer policies for each server (and there will be plenty of opportunity to add additional security computations). CloudPassage does have challenges to overcome, starting with expanding its solution capability to include support for Windows servers and also an agentless option for those that can’t tolerate additional software on a server. The company is very young with a grid capability that provides potential for excellent flexibility in responding to securing the cloud.