The “Forrester Wave™: Cloud Workload Security, Q4 2019” report published by leading global research and advisory firm Forrester, Inc. provides an excellent overview of the security challenges posed by the transition to cloud-based environments and discusses the cloud workload security solutions best poised to address them. One important criterion is API-level Connectivity and Control for IaaS and PaaS.
Application infrastructure has always been complex. The “big bang” of cloud computing created an ever-expanding universe of new infrastructure services and resources available on-demand from IaaS and PaaS platforms like Amazon Web Services, Microsoft Azure, and Google Compute Platform. When combined, this universe of resources represents a mind-numbing set of potential permutations. Cloud computing and DevOps also drive the speed and volume of changes to levels almost guaranteed to overwhelm traditional security approaches and technologies.
Achieving security visibility and control in these new environments are key needs discussed in the Forrester Wave and other research. Fulfilling these needs typically involves automation that leverages the cloud provider’s APIs to discover, assess, and monitor services and resources in IaaS environments. Forrester refers to this overall capability as “API-level connectivity and control for IaaS and PaaS”.
CloudPassage’s solution is Halo, a platform for cloud computing security purpose-built to automate security and compliance management across public and hybrid cloud environments. In The Forrester Wave™: Cloud Workload Security, Q1 2019 report, Halo received the highest possible score (5 out of 5) in the API-level connectivity and control for IaaS and PaaS criterion. This blog explores this criterion
In the Key Takeaways section of “The Forrester Wave™: Cloud Workload Security, Q4 2019”, Forrester states the following:
“As on-premises security suites technology becomes outdated and less effective to provide comprehensive support for cloud workloads, improved broad coverage support for guest/host OS; API-level connectivity to the infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) platform; and container orchestration and runtime platforms will dictate which providers lead the pack.”
If API-level connectivity and control will be a defining trait of cloud security leaders, the implication seems clear—this capability is important to customers. The Forrester report states that cloud workload security customers should seek vendors that:
“Provide templatized API-level configuration management to IaaS and PaaS platforms. You can’t control Amazon Web Services (AWS), Azure, or Google Cloud Platform (GCP) using old school, on-premises CMDB tools. Instead, you want tight control over instance and storage creation and network connectivity. Best practices, vulnerability, and compliance templates (CIS, CVE, or HIPAA) built into and consistently updated by vendors for managing configurations are key differentiators in this area.”
Clearly this capability is important. But what exactly is “API-level connectivity and control”, why is it important, and what can I do with it?
API-level connectivity and control uses cloud provider APIs to automatically discover, inventory, assess, monitor, and control IaaS and PaaS environments. The scope of these features typically includes infrastructure resources and services in the IaaS/PaaS account, as well as the account itself.
This basic functionality must be able to handle the dynamic, diverse and distributed nature of cloud infrastructure. Just a few of the additional capabilities needed include customizable policy and rule templates, data normalization across IaaS/PaaS providers, easy integration with cloud provider environments, and scalability.
Many industry terms are synonymous with “API-level connectivity and control for IaaS and PaaS”. A few of these include:
Regardless of the name, the concept is deceptively simple:
But as always, the devil is in the details. Scalability issues, impact on API limits, cross-cloud portability, multi-cloud data normalization, and correlation with other security and compliance data are all problems that a successful solution must handle. Later in this blog, we’ll cover how Halo’s implementation tamed these issues well enough to achieve a 5 out of 5 score.
For now, let’s consider why these capabilities are important and what you can do with them.
Application programming interfaces (APIs) have been a critical part of application stacks for decades, most often related to the software itself. Cloud computing has made APIs central to the successful adoption of DevOps, continuous delivery, and infrastructure automation. Infrastructure today is really just more code, quickly and easily iterated across huge numbers of resources.
This trend in cloud infrastructure makes API-level connectivity and control important capabilities for security and compliance. Here are some of the most important reasons why.
API-driven speed and agility results in a massive increase in change velocity. Every change introduces the potential for harm, and those risks must be managed as changes occur. Without a way to keep up with the velocity of API-driven infrastructure, security and compliance practitioners are quickly overwhelmed and something will get missed.
Even the most meticulously hardened cloud environment will end up exposed by errors and oversights on the part of humans or weak automation tools. This is in large part related to the large number of configuration settings, access vectors, and access control structures that have to be constantly monitored. In fact, 99 percent of cloud security failures will be the customer’s fault through 2025, according to recent research from Gartner.
Without the right automation, the risk of making a mistake is amplified. This leaves us with a top reason that API-level connectivity and control for IaaS and PaaS is important: to extend the speed, scale, and consistency benefits of API-based automation to security and compliance.
DevOps is the new norm in how applications are developed, deployed, and operated. Smart security leaders are seeking ways to harmonize security with DevOps methods and processes in order to create similar scale and leverage.
API-based automation is a critical pillar at the center of any true DevOps shop. Workflows in a DevOps shop are driven by automation tools wired together with APIs, right down to the way that engineers communicate with one another. When a task is expected to be repeated, it’s automated on-the-spot. Changes are deployed when ready, typically without human intervention or review. These concepts are often foreign to security and compliance practitioners and may even seem to run counter to risk control objectives.
Collaboration with DevOps teams requires that security and compliance teams embrace “the DevOps way”, which in no small part means becoming API-driven. This is important to learning how to engage DevOps on their terms, achieving the speed and consistency benefits of DevOps-style automation, and even to ensure common situational awareness—if both teams leverage the same APIs, consistent awareness will be built-in.
Historically, security vendors have been remiss in providing users with rich APIs, making API-driven operations somewhat foreign to security teams. The emergence of purpose-built cloud security solutions are changing that scene by exposing API-driven capabilities to users. This is the very essence of API-level connectivity and control capabilities.
Unlike traditional data centers, cloud infrastructure environments are designed to be in a constant state of change. Compute, storage, networking, and other IaaS resources continuously added, removed, and modified by automated tools. Resources can be copied or made into templates used to scale infrastructure in autoscaling events, or just to address general growth. These capabilities are powerful.
But such power doesn’t come without risk. Cloud resources are often cloned in-place, which means every exposure is cloned with them. Automation scripts are not always QA’ed or inspected, especially in the heat of an outage situation. One vulnerable image or poorly written update script can become “Typhoid Mary”, spreading deadly problems throughout the environment very quickly. In other words, the creation of new attackable surface areas and exposures without warning should be completely expected.
In a recently released white paper, CloudPassage shared the nastiest mistakes we’ve seen expose IaaS & PaaS environments. In summary, those exposures include:
The Gartner research mentioned above confirms our own experience—issues like these can be prevented. API-level connectivity and control for IaaS and PaaS is one of the keys to that prevention. That makes these capabilities an important part of your cloud security arsenal.
The simple ability to connect to an API and analyze the data found there is a far cry from automating a specific operational task at scale, across the environment. In our experience working with hundreds of companies on cloud security, the most critical question to ask may be “What can I do with it?”
These capabilities can address many use cases, too many to list. The most common use cases in which control objectives are achieved with API-level connectivity and control include:
Fundamental information security control objectives are still requirements in cloud environments. What’s new is how these objectives can be achieved consistently, at scale, across distributed environments. Well-implemented API-level connectivity and control for IaaS and PaaS environments is capable of solving these new challenges through efficient, effective, and consistent automation.
CloudPassage’s solution is the Halo cloud security platform. Halo was purpose-built in 2010 to automate security and compliance management for servers across public and hybrid cloud environments. Since that time, CloudPassage has invested heavily in the platform’s evolution to address new cloud technologies and their security needs. Halo now addresses security for server-based, containerized, and public cloud infrastructure environments including public, hybrid, and multi-cloud deployments.
CloudPassage Halo received the highest score possible (5 out of 5) for seven criteria in The Forrester Wave™: Cloud Workload Security report, including API-level connectivity and control for IaaS and PaaS. Halo’s public cloud infrastructure security capabilities are included in Halo Cloud Secure, one of the three major modules of the Halo platform. The capabilities of Halo Cloud Secure are our implementation of API-level connectivity and control for IaaS and PaaS.
Here’s how we built Halo to achieve, in our opinion, a level of capability worthy of this independent recognition.
In 2010 only the earliest adopters of public cloud technologies realized just how different these environments really are. Then and now, CloudPassage has had the privilege of working with some of the largest and most sophisticated public cloud enterprises in the world to guide our building of the Halo platform for cloud-specific requirements. These experiences gave us a deep understanding of the key requirements for successful cloud security, including API-level connectivity and control for IaaS and PaaS. While other requirements certainly exist, some of the most critical include:
From its inception, the innovations built into the Halo cloud security platform were designed to address the critical needs discussed above. These innovations were recognized by ten patents being granted to CloudPassage between 2013 and 2019 that cover various aspects of the Halo technology.
Here are just a few of the design decisions and features that enable Halo’s unification, portability, scalability, automation and operational integration for API-level connectivity and control:
The list of capabilities above only addresses Halo Cloud Secure, the Halo platform module that implements API-level connectivity and control.
An exhaustive explanation of every innovation is outside the scope of this article. However, Halo’s innovations cover a much broader range of cloud-related issues including assumed-hostile running environments, multitenancy, asset cloning, ephemeral workloads, agent security, and more.
Download The Forrester Wave™: Cloud Workload Security, Q4 2019.
Read more about CloudPassage Halo’s IaaS CSPM (Cloud Security Posture Management) capabilties
Come back and read our upcoming blogs on other criteria for which CloudPassage received the highest scores possible in The Forrester Wave™: Cloud Workload Security, Q4 2019 Report.
Containerization and container orchestration platform protection
Scalability: protected cloud instances and protected containers
Centralized agent framework plans
Or subscribe to our blog by entering your email in the upper right corner of this page and don’t miss a thing.