Today Alert Logic and Datapipe are announcing a new product that extends our network intrusion monitoring capabilities to public clouds, with initial support for the Amazon EC2 service. This is the first such service that was developed from the ground-up for deployment on Amazon Web Services, making it industry’s first network IDS service for Amazon cloud environments. In my many conversations with AWS customers it has become clear that their experience deploying security products has been abysmal, in large part because the Amazon EC2 service lacks common network capabilities found in enterprise data centers. Amazon has made numerous network advances this year, but continues to lack the ability to perform network introspection, which a key requirement for a several controls mandated by PCI. Further complicating cloud deployments, vast majority of enterprise-grade network security products today ship in a rigid appliance form factor – whether physical or virtual. This appliance-centric approach fails to meet the demands of s, which rely on web APIs to drive elastic environments and rapidly changing ephemeral network topologies. The announcement of Threat Manager for EC2 changes all that, going far beyond virtual appliances by becoming a part of the cloud management fabric. Our belief is that the future of cloud security is in embedded services, which become tightly coupled to cloud provider’s own management stack. Largely an afterthought today, security services will soon be consumed much in the same way as compute and storage resources – administered directly from the cloud management UI or controlled programmatically via a web API. To accomplish this goal we have developed a set of services and APIs that allow our customers to avoid unnecessary scripting and manual configuration, which will serve as foundation for our ongoing development of the cloud Security-as-a-Service platform:
- Provisioning API that allows service providers to embed Alert Logic services into their management stacks, create new customer accounts, authorize and tear down protected EC2 instances and Alert Logic virtual appliances.
- Ability to provide network introspection in each Linux or Windows cloud instance through a soft-tap that mirrors traffic to our virtual appliances.
- Secure certificate management service that ensures only authorized EC2 and virtual appliances are able to communicate with each other.
- Management service API that automatically migrates configurations to all protected EC2 instances and virtual appliances as they join the network.
- Ability to support Availability Zone affinity, providing the most cost effective communication path for monitored traffic.
- Secure communication services that ensure that all communications between the virtual appliances, protected EC2 instances and Alert Logic cloud infrastructure are encrypted.
- Usage based accounting and billing
In the near future, we’ll be adding full support for role based management of hosts, automated load balancing of protected hosts between virtual appliances and other functions that make elastic scaling in EC2 painless. Additional Alert Logic services, such as log management and vulnerability scanning will be available soon. If you have questions or comments, or interested in joining the beta program, please leave a comment or reach out to us by phone. Our cloud solutions will evolve rapidly and we hope to hear about what functions matter to you most.