Halo Cloud Secure gives you confidence in threat prevention and compliance for IaaS environments including AWS and Azure

IaaS Threat Prevention and Compliance Need the Right Tools

Datacenter migrations, cloud-native application development, and serverless application architectures are just a few of the use cases driving enterprises to adopt public IaaS. Cloud infrastructure services like AWS and Microsoft Azure provide seemingly limitless speed, scale, and distribution for a wide variety of application infrastructure.

The business benefits to digitally-driven enterprises are clear, but security teams without the right tools are left struggling with basic issues like asset and risk visibility. Just one compromise is all it takes to wipe out the value of cloud adoption.

Designed for IaaS environments

We built Cloud Secure explicitly to give security teams automated and up-to-date awareness of assets, threat exposures, and compliance concerns across all their public cloud infrastructure environments. Cloud Secure is built on the Halo platform, so it delivers the same level of integration, automation, scale and speed as our other workload protection solutions. The common Halo platform also means true integration across capabilities, so you don’t have to integrate multiple products – or wait for other vendors to integrate their own point solutions.

How it Works

Enterprise-class features make IaaS protection easy while delivering flexibility and control.

Built to be fast and easy to set up by leveraging IaaS provider mechanisms. Through a simple read-only role, you can enable Cloud Secure to evaluate your AWS or Azure environment in minutes. For enterprises with many IaaS accounts, API automation can set up hundreds or even thousands of accounts easily. Depending on the size of the account, you will have full inventory and assessment results within five to fifteen minutes.

architecture diagram

To learn more about how Halo Cloud Secure works, please check out the Halo Cloud Secure Technical Brief.

Use Cases

Every enterprise adopts IaaS for its own reasons and every use case comes with new workload protection requirements.

Your enterprise might use IaaS to gain development agility, optimize cost structures, or to decentralize application development and ops. Or perhaps you’re with a cloud-native startup that’s in the cloud because it was born there. Whatever the reason, here are some of the most commonly seen use cases for Halo Cloud Secure.

Server Migration

The lift-and-shift cloud migration model means moving servers into IaaS environments "as-is" and is usually tied to goals of reducing in-house data center footprint. Even this simple model means new protection and compliance needs since servers will be in a more dynamic environment. Your security team needs the ability to automatically track what server assets are where, evaluate cloud-based servers for exposures, protect the IaaS control plane, and ensure it's all in compliance.

Application Elasticity

Cloud infrastructure enables applications to scale up and down through mechanisms like cloud auto-scaling (a.k.a. "cloudbursting"). For security engineers, this means having automation that can track ephemeral cloud resources through rapid scale-up and scale-down operations. For compliance operations, effective automation that can continuously generate audit data for in-scope assets is critical for passing audits in elastic, ephemeral environments.

Docker as a Service

Many enterprises adopt public cloud services so they don't have to manage their own Docker runtime environments. Managed Docker runtimes like AWS Fargate and Azure Container Instances address many security and compliance requirements. However, cloud infrastructure security is a shared responsibility. Your team needs automation capabilities to address the user's responsibilities for ensuring security and compliance of the Docker service and related registry and pipeline components.​


Kubernetes as a Service​

There's a growing trend in implementing true service-centric and microservices architectures on Kubernetes. As with Docker, many enterprises would rather focus on the applications themselves, not the underlying Kubernetes platform. Turn-key Kubernetes services like AWS Elastic Kubernetes Service (EKS) and Azure Kubernetes Service (AKS) address this desire. As with any other public cloud service, there is a shared responsibility for security and compliance, and your team needs solutions built to help them keep up their end.​

Managed Data Services

Cloud service providers offer turn-key object storage, SQL and no-SQL databases, map-reduce, and search/analytics services that are scalable, distributed, and highly available. Many development teams are recognizing that their time is better spent on implementing application functionality than on wrestling with underlying data services. For security and compliance engineers, this again means managing their part of the responsibility model for services like AWS S3, AWS Dynamo, Azure SQL, and Azure Blob Storage to name just a few. Your team needs automation that can help them architect, implement, and monitor key threat prevention and compliance controls for critical data assets in these services.


Cloud Secure's features give security engineering teams the capabilities to handle IaaS security and compliance quickly and easily at any scale.


Halo Cloud Secure is continually evolving based on feedback from our customers, including some of the largest and most sophisticated cloud deployments on the planet. Here are a few of the features that make Halo Cloud Secure a high-value solution: 

For a complete inventory of all Halo Cloud Secure features and capabilities, please download the Halo Cloud Secure technical brief.

  • Fully automated asset inventory across any number of IaaS environments
  • Continuous security and compliance evaluation of IaaS accounts, services, and resources
  • Detailed issue resolution advice via UI or REST API, including full technical details of expected and identified state in JSON format
  • Exhaustive library of customizable technical rules and policies supporting common technical standards needed for compliance with PCI DSS, SysTrust/SOC 2, HIPAA, and other regulatory requirements
  • Delivery of JSON issue data to asset owners via AWS SQS, enabling system owners to automate resolution of critical exposures
  • Automatic collection and integration of cloud service provider metadata (including user-defined tags) to make operations easier
  • Built on the Halo platform to provide one consistent interface, data model, REST API, and integration strategy for public IaaS assets as well as server-based and containerized assets


Supported Platforms

Halo Cloud Secure supports a broad set of Amazon Web Services and Microsoft Azure services that are frequently deployed in modern application stacks.

CloudPassage constantly adds new public IaaS services and related rules and policies to support the most frequently deployed cloud infrastructure. If you don’t see a service that you need, contact us to ask – it might be right around the corner.

Amazon Web Services

  • API Gateway
  • CloudFormation
  • CloudTrail
  • Elastic Compute Cloud (EC2)
  • Elastic Load Balancing (ELB)
  • Identity and Access Management (IAM)
  • Key Management Service
  • Lambda Serverless Compute
  • Relational Database Service (RDS)
  • Route 53
  • Simple Storage Service (S3)
  • Virtual Private Cloud (VPC)

Microsoft Azure

  • Application Gateway
  • App Service
  • Compute
  • Active Directory
  • Functions
  • SQL Servers
  • Storage
  • Virtual Network

* Halo Cloud Secure support for Google Cloud Platform is scheduled for 2020.

Related Resources

Participate in Independent Cloud Security Research and Get Access to Industry Reports

Take part in one or more of our surveys and let your voice be heard​