security service

A look at CloudPassage Halo and Amazon Inspector

deepak munjal / 02.01.17

As much as we’d enjoy not facing competition, the fact remains that other companies endeavor to provide some of the same services we do. Let’s just say that some of these companies are small, some of them are large, and one them is Amazon.com.

Amazon is a major partner that we think very highly of yet provides a tool that offers some features that are similar to what we provide with CloudPassage Halo. This is the kind of weird scenario that only exists in the corporate world. Imagine if Rob Gronkowski was not only Tom Brady’s teammate but also 10% of the time suddenly turned around and tried to tackle him. As entertaining as that might be, I’m not entirely sure they could make it work.

Halo does make it work, however, which is why we’d like to take a closer look at a product Amazon released to the public last year: AWS Inspector.

Inspector is Amazon’s stab at an automated workload security service. And similar to just about everything Amazon does — if you haven’t seen the Amazon-produced and Best Picture nominated film Manchester By The Sea yet, you definitely should — it’s good!

Inspector’s service provides SVA and CSM information via an agent-based platform, with pricing based on consumption. It includes deep APIs and is built for automation of agent deployment and scanning.

Sound familiar? It should, because it is familiar. This is very much like the service Halo provides.

Despite these core similarities, the services are not the same. There are some key differences that are very much worth noting:

Inspector is AWS only, while Halo is multicloud and works with AWS, Microsoft Azure, Rackspace, OpenStack, and wherever else you happen to be: bare metal to private cloud to IaaS to the moon (assuming you have servers there). Maybe you’re using AWS for some things and your own servers for others? We’ve got it handled.

Halo isn’t only more far reaching in where it works, it’s also more comprehensive in how it does that work. Inspector does not include Server Account Management, nor does it provide Traffic Discovery, Firewall Orchestration, multi-factor network authentication, File Integrity Monitoring, and Log-based Intrusion Detection, security functions found within Halo Segment and Halo Detect. Forrester and Gartner agree these are very important for cloud-based workloads.

All of this work is easily tracked too, as Halo portal provides a rich overview of security posture across all workloads, with both a scannable top-level overview and deep dive capability. Inspector doesn’t include this kind of portal.

Halo content templates are also richer with customizable, platform-specific CIS Benchmarks and DISA STIGs. On the other side, Inspector does not run a full software scan. Instead, the packages that Inspector checks for have to be specified in the rules package. They basically require an AWS defined SVA policy that cannot be customized.

It’s not all, “look at how awesome Halo is!” though. Inspector does include some features that Halo doesn’t, like encryption, DDOS mitigation, identity and access control. It’s appropriate in some scenarios to use both Inspector and Halo side-by-side. The products can be very complementary.

This is all to say that Inspector is a quality product, Halo just happens to be a deeper and more mature one. And you’d hope so considering we’ve been at it for over seven years now.

Though I’m a little disappointed to say so, it’s very unlikely we’ll ever make an Oscar-nominated film or win a bunch of Emmys. What we will always be doing though, is improving and expanding our core service. We’re entirely focused on server and cloud workload security, and we think that’s a good thing.