CWPP (Cloud Workload Protection Platform)
with Server Secure

Server Secure is the cloud workload protection platform (CWPP) service of the Halo cloud security platform. It automates security and compliance management for Linux and Windows servers across any mix of public, private, or hybrid cloud hosting environments.

Server Secure Automates Security and Compliance Workflows for Cloud Workloads​

In a matter of seconds, Halo Server Secure addresses the new security and compliance demands of cloud-hosted servers and workloads—opening the door to fast, consistent, automated remediation workflows.

Server Secure’s CWPP capabilities establish and maintain cloud workload protection—automatically.

cog-secure-icon

DISCOVERY, INTERROGATION
AND INVENTORY

Automatically discovers, interrogates, and inventories servers including, cloud workloads, virtual machines, and bare metal

VULNERABILITY
ASSESSMENT

Detects vulnerabilities in operating systems, software configurations, unpatched software, access privileges, security controls, network services, authorized and unauthorized server components, and more

ONGOING
MONITORING

Monitors cloud-hosted servers, virtual machines, bare metal, and software to detect new vulnerabilities and exposures introduced by innocent changes or malicious activity

DEVOPS WORKFLOW
INTEGRATION

Immediately delivers vulnerability and exposure issues to system owners via REST API and message queues—see list of integrations

AUTOMATED
REMEDIATION ASSISTANCE

Provides detailed issue evidence and remediation guidance, automatically detecting and reporting resolved issues

SERVER-LEVEL
INTRUSION DETECTION

Automatically detects server-level intrusions through log monitoring, file and system integrity monitoring and IoT/IoC detection

Comprehensive, Flexible Policies and Rules

No static rulesets that change without notice with Halo’s CWPP capabilities—unlike the alternatives. Server Secure provides comprehensive policy and rule templates along with very easy, flexible policy management features.

When rules are applied, the raw data collected from servers, manual auditing instructions, rationale for best-practices, and explicit remediation guidance are delivered alongside every rule.

checklist check

OVER
15,000 RULES

Security and compliance rules across a wide variety of pre-built policies for common best practices and standards

175
CONFIGURATION CHECKS

A wide variety of analysis checks for Linux and Windows servers to build sophisticated security and compliance rulesets

136
PRE-BUILT POLICIES

87 configuration security policies, 28 file and registry integrity monitoring policies, 21 automated event collection and inspection policy templates

CUSTOMIZABLE

Every policy and rule can be customized for specific company, business unit, and application standards by approved administrative users  

IMPORT
AND EXPORT

Import existing rules and policies—or export versions you have defined in Halo—as JSON, via the Halo portal or REST API

EASY
UPDATES

When CloudPassage releases new content, just copy new rules you need into your existing policies—no need to start over

VERSION
CONTROL

Implement version control and manage policy distribution and updates with tools like git using the Halo REST API

GROUP-BASED
ASSIGNMENTS

Restrict policy visibility and management to specific business units or application teams without risk of affecting others

POLICY
STACKING

Policies can be “stacked” and enforced hierarchically—so common “base” rulesets can be combined  with environment-specific rules with ease

Simplify Your Cloud Workload Security Operations into a Single Pane of Glass

Server Secure is completely environment-agnostic, so you can automate security and compliance management into a single platform that supports servers across any mix of public, private, hybrid, and multi-cloud deployments. Halo’s CWPP manages server security and compliance anywhere, at any scale, with consistency and confidence.

window-icon

BUILT
FOR GROWTH

Designed to handle ephemeral workloads, auto-scaling operations, and the long-term growth of your server fleet

SEAMLESS
SCALABILITY

Scales from less than 12 servers to over 150,000 with a single Halo account without any additional hardware or software to deploy and manage

ELIMINATES POINT
SOLUTIONS

Consolidates server security into a single, easily-managed 2 MB microagent with many powerful CWPP functions so you can remove multiple bloated agents from servers

REDUCES TIME TO
REMEDIATION

Automates to foster better collaboration, faster issue communication, and dramatically reduce remediation times

REAL-TIME
COLLABORATION

Automatically communicates critical server issues to application owners as they are discovered for proactive, automated response to exposures, threats, and compliance issues

ONE PLACE
FOR ALL DATA

Consolidates all security and compliance data in one place, from server population to configuration findings to remediation records

SINGLE RECORD
OF TRUTH

Provides a non-tamperable record of technical and operational compliance for your cloud workload and servers

How Halo Server Secure CWPP Works

For Server Secure, CloudPassage completely reinvented the architecture for agent-based server security so you get the powerful capabilities of an agent without the overhead costs of system impact and difficult management. 

Server Secure’s patented distributed architecture provides maximum security power with minimum server impact. The architecture’s extreme scalability and dynamic operation allow it to keep up with rapid changes in the most dynamic of cloud implementations.

The Microagent of Microagents

A lightweight 2MB software sensor that delivers all Server Secure features

CWPP gears

HIGHLY EFFICIENT
COMPILED C CODE

No additional software to install and manage such as the massive Java runtimes of other agent-based solutions

PROXY-AWARE

Requires no network configuration changes

COMMAND AND
CONTROL PROTOCOL

All communications from agent are outbound via a command and control protocol

SECURE

Exposes no management or communication interfaces and is not network accessible to reinforce security

DESIGNED FOR HOSTILE
ENVIRONMENTS

Ensures message authenticity, confidentiality, and integrity with layers of patented cryptographic control enabled at the payload and network level

MAINTAINS ITS OWN
HEALTH

Automatically assesses every microagent hourly to proactively detect signs of tampering

 

ONLY TWO AGENTS TO MANAGE
AND UPDATE

One for Linux-based kernels, one for Windows-based kernels—not dozens for every OS distribution and version like other products

SMOOTH
NEW RELEASES

New Halo CWPP functionality is deployed in the Halo cloud and automatically “picked up” by microagents when activated by the user

AUTOMATIC
UPDATES

Updates are automatically integrated via the Halo portal or the Halo API—or pre-scheduled to occur in the change window of your choice

FAST
REGISTRATION

Less than thirty seconds to register new microagents

QUICK
RESULTS

Full inventory, interrogation, assessment, and instrumentation for ongoing monitoring in less than ninety seconds

How the Microagent Works

  • Runs as a service on each server’s operating system
  • Monitors important server security factors
  • Sends server data to the Halo Cloud as needed
  • Automatically implements instructions generated by the Halo Cloud
  • Only takes action based on your configuration preferences
    • Making updates to local microsegmentation policies
    • Uploading ssh keys
    • Modifying local user accounts
    • Updating server analysis schedules

Halo components are distributed across your organization's clouds and the Halo cloud

CWPP Cloud Workload Protection Platform Architecture

Halo Cloud

A powerful computing environment based on a high-performance and very scalable containerized microservice architecture

  • Performs sophisticated analytics that evaluate data collected by the Server Secure microagents
  • Handles the “heavy lifting” on behalf of the microagents, preserving your server resources and performance
  • Is platform and provider agnostic, delivering operational portability and agility
  • Transparently scales to handle from dozens to hundreds of thousands of servers
CWPP Cloud Workload Protection Platform Halo Cloud

Halo Portal​

A convenient “single pane of glass” to manage all Halo CWPP capabilities

  • Policy Creation
  • Alerting setup
  • Report viewing
  • User and permission management
  • And more
CWPP Halo Portal

The Process

  1. Agent activates host firewall on boot, applies latest policies, orchestrates ongoing updates
  2. Platform secures privileged access via dynamic firewall rules using multi-factor user authentication
  3. Scans OS configurations for vulnerabilities and continuously monitors OS state and activity
  4. Application configurations are scanned for vulnerabilities, then continuously monitored for changes
  5. Cryptographic integrity monitoring ensures app code and binaries are not compromised
  6. Platform monitors system binary and config files for correct ACLs, file integrity, and vulnerabilities
  7. Network traffic and data access are monitored for indicators of extrusion
CWPP - How it Worls

Integration with DevOps ToolChains for Automated Security and Compliance ​

All Server Secure functions are available through the comprehensive CloudPassage REST API and SDK to build security and compliance into operations instead of bolting security on after the fact.

The Halo API is used to automate microagent deployment, integrate with other tools, or create new management tools.

DevOps Icon

JSON

All security data is available via JSON for easy consumption by downstream tools like SIEM, SOAR, GRC, operational workflow tools.

DEPLOYMENT SCRIPTS

Microagents can be deployed by Chef, Puppet, Bash, and other common tools, by using included deployment automation scripts.

SERVER IMAGES

Microagents can be pre-configured and built into server images (e.g. AWS, AMIs) so security and compliance capabilities activate when your servers do.

CD PIPELINES

All Server Secure capabilities can be leveraged in CD pipelines using a Jenkins-native plugin.

CI/CD TOOLS

A CI/CD SDK enables advanced integration with any CI/CD orchestration tool.

Extensive Asset Coverage

Cloud Servers

Inventory

Configuration assessment

Software inventory

Software vulnerability
assessment

File integrity monitoring

Event monitoring

Installed Applications

Discovery

Inventory

Configuration assessment

Software vulnerability
assessment

File integrity monitoring

Event monitoring

Processes

Discovery

Inventory

CONFIGURATION ASSESSMENT​

Event monitoring

 

Operating Systems

Discovery

Inventory

Configuration assessment

Software vulnerability
assessment

File integrity monitoring

Event monitoring

User Accounts

Discovery

Inventory

Configuration assessment

Integrity monitoring

Event monitoring

Network Traffic

Discovery

Inventory

Visualization

IaaS instance metadata collection

Purpose-built on the Unified Halo Cloud Security Platform

Many cloud security “suites” are mashups of old technology that require separate licensing, deployment, administration, and maintenance. Some even require that you purchase their legacy technologies or additional features that should be included to make their “next-generation” technology operate. Unlike “free” IaaS provider tools that don’t provide parity in their competitors’ clouds, Halo works across CSPs.

Halo was designed from the ground up to be a truly unified solution. The Halo Cloud Workload Protection Platform (CWPP) service uses the same API connectors, microagents, console, API, policy engine, data model, and analytics engine as our Cloud Security Posture Management (CSPM) and Container Security services.

tools-icon

Get Started

Learn More About Cloud Security

Containerization and Container Orchestration

Read why we believe we scored 5 out of 5 in The Forrester Wave™: Cloud Workload Security Q4 2019

The Forrester Wave™: Cloud Workload Security Q4 2019

Download the full report with an introduction to guide you through using it for your own evaluation

API-level Connectivity and Control for IaaS and PaaS

Explore ways to accomplish more and gain value with our comprehensive Halo REST API​