API-level Connectivity and Control for IaaS and PaaS: Cloud Workload Security Part 2

The “Forrester Wave™: Cloud Workload Security, Q4 2019” report published by leading global research and advisory firm Forrester, Inc. provides an excellent overview of the security challenges posed by the transition to cloud-based environments and discusses the cloud workload security solutions best poised to address them. One important criterion is API-level Connectivity and Control for IaaS and PaaS.

Application infrastructure has always been complex. The “big bang” of cloud computing created an ever-expanding universe of new infrastructure services and resources available on-demand from IaaS and PaaS platforms like Amazon Web Services, Microsoft Azure, and Google Compute Platform. When combined, this universe of resources represents a mind-numbing set of potential permutations. Cloud computing and DevOps also drive the speed and volume of changes to levels almost guaranteed to overwhelm traditional security approaches and technologies.

Achieving security visibility and control in these new environments are key needs discussed in the Forrester Wave and other research. Fulfilling these needs typically involves automation that leverages the cloud provider’s APIs to discover, assess, and monitor services and resources in IaaS environments. Forrester refers to this overall capability as “API-level connectivity and control for IaaS and PaaS”.

CloudPassage’s solution is Halo, a platform for cloud computing security purpose-built to automate security and compliance management across public and hybrid cloud environments. In The Forrester Wave™: Cloud Workload Security, Q1 2019 report, Halo received the highest possible score (5 out of 5) in the API-level connectivity and control for IaaS and PaaS criterion. This blog explores this criterion

About API-level Connectivity and Control for IaaS and PaaS

In the Key Takeaways section of “The Forrester Wave™: Cloud Workload Security, Q4 2019”, Forrester states the following:

“As on-premises security suites technology becomes outdated and less effective to provide comprehensive support for cloud workloads, improved broad coverage support for guest/host OS; API-level connectivity to the infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) platform; and container orchestration and runtime platforms will dictate which providers lead the pack.”

If API-level connectivity and control will be a defining trait of cloud security leaders, the implication seems clear—this capability is important to customers. The Forrester report states that cloud workload security customers should seek vendors that:

“Provide templatized API-level configuration management to IaaS and PaaS platforms. You can’t control Amazon Web Services (AWS), Azure, or Google Cloud Platform (GCP) using old school, on-premises CMDB tools. Instead, you want tight control over instance and storage creation and network connectivity. Best practices, vulnerability, and compliance templates (CIS, CVE, or HIPAA) built into and consistently updated by vendors for managing configurations are key differentiators in this area.”

Clearly this capability is important. But what exactly is “API-level connectivity and control”, why is it important, and what can I do with it?

What Is API-level Connectivity and Control for IaaS and PaaS?

API-level connectivity and control uses cloud provider APIs to automatically discover, inventory, assess, monitor, and control IaaS and PaaS environments. The scope of these features typically includes infrastructure resources and services in the IaaS/PaaS account, as well as the account itself.

This basic functionality must be able to handle the dynamic, diverse and distributed nature of cloud infrastructure. Just a few of the additional capabilities needed include customizable policy and rule templates, data normalization across IaaS/PaaS providers, easy integration with cloud provider environments, and scalability.

Many industry terms are synonymous with “API-level connectivity and control for IaaS and PaaS”. A few of these include:

• Cloud security posture management (CSPM)
• Cloud workload security assessment and monitoring
• Continuous cloud compliance monitoring
• Cloud infrastructure security
• IaaS security

Regardless of the name, the concept is deceptively simple:

• connect to a cloud provider API
• retrieve data points relevant to security and compliance
• evaluate that data against standards

But as always, the devil is in the details. Scalability issues, impact on API limits, cross-cloud portability, multi-cloud data normalization, and correlation with other security and compliance data are all problems that a successful solution must handle. Later in this blog, we’ll cover how Halo’s implementation tamed these issues well enough to achieve a 5 out of 5 score.

For now, let’s consider why these capabilities are important and what you can do with them.

Why API-level Connectivity and Control for IaaS and PaaS is Important

Application programming interfaces (APIs) have been a critical part of application stacks for decades, most often related to the software itself. Cloud computing has made APIs central to the successful adoption of DevOps, continuous delivery, and infrastructure automation. Infrastructure today is really just more code, quickly and easily iterated across huge numbers of resources.

This trend in cloud infrastructure makes API-level connectivity and control important capabilities for security and compliance. Here are some of the most important reasons why.

APIs Help Keep Up Cloud Speed and Scale

API-driven speed and agility results in a massive increase in change velocity. Every change introduces the potential for harm, and those risks must be managed as changes occur. Without a way to keep up with the velocity of API-driven infrastructure, security and compliance practitioners are quickly overwhelmed and something will get missed.

Even the most meticulously hardened cloud environment will end up exposed by errors and oversights on the part of humans or weak automation tools. This is in large part related to the large number of configuration settings, access vectors, and access control structures that have to be constantly monitored. In fact, 99 percent of cloud security failures will be the customer’s fault through 2025, according to recent research from Gartner.

Without the right automation, the risk of making a mistake is amplified. This leaves us with a top reason that API-level connectivity and control for IaaS and PaaS is important: to extend the speed, scale, and consistency benefits of API-based automation to security and compliance.

APIs Help Security Align With DevOps To Achieve DevSecOps

DevOps is the new norm in how applications are developed, deployed, and operated. Smart security leaders are seeking ways to harmonize security with DevOps methods and processes in order to create similar scale and leverage.

API-based automation is a critical pillar at the center of any true DevOps shop. Workflows in a DevOps shop are driven by automation tools wired together with APIs, right down to the way that engineers communicate with one another. When a task is expected to be repeated, it’s automated on-the-spot. Changes are deployed when ready, typically without human intervention or review. These concepts are often foreign to security and compliance practitioners and may even seem to run counter to risk control objectives.

Collaboration with DevOps teams requires that security and compliance teams embrace “the DevOps way”, which in no small part means becoming API-driven. This is important to learning how to engage DevOps on their terms, achieving the speed and consistency benefits of DevOps-style automation, and even to ensure common situational awareness—if both teams leverage the same APIs, consistent awareness will be built-in.

Historically, security vendors have been remiss in providing users with rich APIs, making API-driven operations somewhat foreign to security teams. The emergence of purpose-built cloud security solutions are changing that scene by exposing API-driven capabilities to users. This is the very essence of API-level connectivity and control capabilities.

APIs Support Continuous Monitoring to Prevent The Worst

Unlike traditional data centers, cloud infrastructure environments are designed to be in a constant state of change. Compute, storage, networking, and other IaaS resources continuously added, removed, and modified by automated tools. Resources can be copied or made into templates used to scale infrastructure in autoscaling events, or just to address general growth. These capabilities are powerful.

But such power doesn’t come without risk. Cloud resources are often cloned in-place, which means every exposure is cloned with them. Automation scripts are not always QA’ed or inspected, especially in the heat of an outage situation. One vulnerable image or poorly written update script can become “Typhoid Mary”, spreading deadly problems throughout the environment very quickly. In other words, the creation of new attackable surface areas and exposures without warning should be completely expected.

In a recently released white paper, CloudPassage shared the nastiest mistakes we’ve seen expose IaaS & PaaS environments. In summary, those exposures include:

• Easily hacked administrative credentials
• Exposed data assets
• Weak network access controls
• Unconstrained blast radius
• Poor event logging

The Gartner research mentioned above confirms our own experience—issues like these can be prevented. API-level connectivity and control for IaaS and PaaS is one of the keys to that prevention. That makes these capabilities an important part of your cloud security arsenal.

Use Cases for API-level Connectivity and Control for IaaS and PaaS

The simple ability to connect to an API and analyze the data found there is a far cry from automating a specific operational task at scale, across the environment. In our experience working with hundreds of companies on cloud security, the most critical question to ask may be “What can I do with it?”

These capabilities can address many use cases, too many to list. The most common use cases in which control objectives are achieved with API-level connectivity and control include:

• Continuous Asset Awareness – API-based discovery and inventory of IaaS services and resources—you can’t do any of the things below if you don’t know the assets exist
• Point-In-Time Security Assessment – assessment of public cloud account security, including the IaaS account itself and the security of the services and assets inside the account
• Continuous Security Monitoring – ongoing IaaS environment monitoring to detect and evaluate how changes and events impact security and compliance posture
• Compliance Auditing & Monitoring – point-in-time evaluation of compliance posture against a range of standards (a.k.a. pre-auditing) or continuous compliance monitoring to surface issues as they arise instead of “cleaning up” right before an audit
• Detect Indicators of Threat & Compromise – attackers will use cloud technology to their advantage, leaving cloud “versions” of rootkits and other malicious artifacts as part of attacks. With the right API-based automation, indicators of these situations can be quickly detected to accelerate prevention, isolation, containment, investigation and clean-up.
• Automated Issue Remediation – leveraging cloud provider APIs to implement automatic remediation for exposures and compliance flaws is extremely valuable but often overlooked. Capturing metadata from provider APIs enables system owners to automate the process of zeroing in on and remediating problems, creating fully automated remediation capabilities.

Fundamental information security control objectives are still requirements in cloud environments. What’s new is how these objectives can be achieved consistently, at scale, across distributed environments. Well-implemented API-level connectivity and control for IaaS and PaaS environments is capable of solving these new challenges through efficient, effective, and consistent automation.

Why We Believe CloudPassage Halo Achieved 5 of 5 for API-level Connectivity and Control for IaaS and PaaS

CloudPassage’s solution is the Halo cloud security platform. Halo was purpose-built in 2010 to automate security and compliance management for servers across public and hybrid cloud environments. Since that time, CloudPassage has invested heavily in the platform’s evolution to address new cloud technologies and their security needs. Halo now addresses security for server-based, containerized, and public cloud infrastructure environments including public, hybrid, and multi-cloud deployments.

CloudPassage Halo received the highest score possible (5 out of 5) for seven criteria in The Forrester Wave™: Cloud Workload Security report, including API-level connectivity and control for IaaS and PaaS. Halo’s public cloud infrastructure security capabilities are included in Halo Cloud Secure, one of the three major modules of the Halo platform. The capabilities of Halo Cloud Secure are our implementation of API-level connectivity and control for IaaS and PaaS.

Here’s how we built Halo to achieve, in our opinion, a level of capability worthy of this independent recognition.

Key Requirements That Halo Is Designed to Address

In 2010 only the earliest adopters of public cloud technologies realized just how different these environments really are. Then and now, CloudPassage has had the privilege of working with some of the largest and most sophisticated public cloud enterprises in the world to guide our building of the Halo platform for cloud-specific requirements. These experiences gave us a deep understanding of the key requirements for successful cloud security, including API-level connectivity and control for IaaS and PaaS. While other requirements certainly exist, some of the most critical include:

• Unified capabilities for IaaS, PaaS, servers, and containers – IaaS and PaaS services don’t exist in isolation. Modern application architectures now combine IaaS and PaaS services with server-based and containerization technology (some of which is delivered by the provider themselves). Looking at components in isolation limits context and slows analysis of the overall application environment. This makes unification of data and management across various types of cloud infrastructure a critical requirement.
• Portability across cloud providers – the majority of successful digital enterprises use multiple IaaS and PaaS providers for availability, cost management, and prevention of vendor lock-in. Even within a single cloud provider, not all regions operate identically; federal and some international service regions are good examples. This makes portability of API-based capabilities within and across cloud providers critical. API compatibility, data normalization, and common policy management are just a few of the portability issues that are important to a successful deployment.
• Scalability – the scale of cloud infrastructure typically changes both on a short-term basis (cloudbursting or autoscaling events) and in the long term (organic application growth, new applications, data center migration). API-level connectivity and control capabilities must be able to quickly and automatically adapt to changes in infrastructure scale, in terms of both functional capacity and licensing.
• Automation – changes are programmatically automated in cloud and DevOps environments. If security and compliance functions are not equally automated, it will be easily outpaced by the infrastructure’s rate of change. Automation is needed to ensure that security instrumentation is “part of the build” and not something to be added later. Automation also ensures consistency and eliminates errors, both critical needs in highly dynamic and diverse cloud environments.
• Operational Integration – as previously discussed, aligning security and DevOps is an important success factor that delivers mutual benefit and a stronger overall security posture. This requires that security functionality and intelligence is automatically delivered to system owner workflow tools (e.g. Jira, Slack, Jenkins). These needs are complex, especially in larger environments, making comprehensive REST APIs, data routing, and other operational integrations critical.

How Halo Implements API-Level Connectivity and Control

From its inception, the innovations built into the Halo cloud security platform were designed to address the critical needs discussed above. These innovations were recognized by ten patents being granted to CloudPassage between 2013 and 2019 that cover various aspects of the Halo technology.

Here are just a few of the design decisions and features that enable Halo’s unification, portability, scalability, automation and operational integration for API-level connectivity and control:

• Use of existing cloud service provider API access constructs for easy, low-friction configuration, including delegated access to enable cross-account security management
• Customizable “out-of-the-box” policy templates supporting common security and compliance standards such as PCI DSS, CIS Benchmarks, HIPAA, and SOC 2 / SysTrust criteria
• Deep inspection and collection of all cloud resource metadata including raw resource-inspection output, user-defined resource tags, and platform metadata such as region, creation details, etc.
• Fast, scalable, fully automated security analytics capabilities that include tracking of initial issue appearance, automated detection of remediation, and issue regressions
• Normalized data model that presents disparate IaaS details in a common structure and format
• Detailed remediation advice for issues identified, presentation of raw assessment data for automation and inspection purposes, and instructions to manually verify findings if needed
• Bidirectional REST APIs and direct integration with queueing services like AWS SQS to enable operational automation and direct integration with other security and DevOps tools
• Operational features and integration tools to automate deployment, configuration, issue routing, email alerting, and bidirectional interaction with operational tools such as Jira and Slack
• RBAC and data access features to ensure system owners only interact with authorized systems

The list of capabilities above only addresses Halo Cloud Secure, the Halo platform module that implements API-level connectivity and control.

An exhaustive explanation of every innovation is outside the scope of this article. However, Halo’s innovations cover a much broader range of cloud-related issues including assumed-hostile running environments, multitenancy, asset cloning, ephemeral workloads, agent security, and more.

To Learn More

Download The Forrester Wave™: Cloud Workload Security, Q4 2019.

Read more about CloudPassage Halo’s IaaS CSPM (Cloud Security Posture Management) capabilties

Come back and read our upcoming blogs on other criteria for which CloudPassage received the highest scores possible in The Forrester Wave™: Cloud Workload Security, Q4 2019 Report.

Containerization and container orchestration platform protection
Scalability: protected cloud instances and protected containers
Centralized agent framework plans
Or subscribe to our blog by entering your email in the upper right corner of this page and don’t miss a thing.