Programmable Security Fabric

One of the key architectural design elements of Dome9 SecOps is its programmable security fabric that delivers policy automation, abstraction and orchestration via a highly scalable and reliable platform hosted on an elastic cloud infrastructure.

One of the key architectural design elements of Dome9 SecOps is its programmable security fabric that enables the solution to cope with the high rates of change that are common in cloud infrastructure. Built on the model of software-defined security, Dome9 delivers policy automation, abstraction and orchestration via a highly scalable and reliable platform hosted on an elastic cloud infrastructure. Dome9 SecOps also relies on a dual approach of both API-level and agent-based protection to yield greater coverage of cloud environments.

01-Dome9_Phase2_Diagram-Sequence-1


Policy Automation Engine

Ensuring an effective and consistent policy framework becomes significantly easier with Dome9 SecOps. One of the more onerous tasks in cloud security operations is day-to-day network security management – from embedded cloud network firewalls such as AWS Security Groups, to network configurations in host firewalls such as Windows firewall and Linux IP Tables.

Build security policies that consolidate management of like servers under one profile, enable new servers to automatically inherit that same policy, and scale out those policies across multiple regions and clouds.

Read more

  • Apply a single policy for similar types of servers, and consolidate as many servers from as many clouds as necessary into that one policy. Newly added servers of a specific type automatically inherit that group policy.
  • Configure users access for a specific group of servers e.g. web admins to web servers, etc. simply by enabling user access to that security group.
  • Policy engine supports reusable objects such as IP Lists and editable service names and descriptions, as well as tagging, further simplifying operation and reducing human error.

Cloud API Orchestration

Dome9 SecOps includes cloud API orchestration on the Amazon AWS platform that enables Dome9 to centrally manage and automate security policies on AWS without an agent.

This unique feature of Dome9, unparalleled in the industry, is available via integration with Amazon’s built-in security frameworks and provides centralized management of EC2 and VPC security groups across multiple AWS accounts and regions. Connecting in at the virtualization layer, this cloud API orchestration can be setup in seconds via a special IAM role account, and automate security for all existing and newly created instances.

Read more

03-Dome9_Phase2_Diagram-Sequence-3

  • Dome9 SecOps uses a specially created cross-account-role (IAM role) with trust for a specific AWS account managed by Dome9, to integrate with your cloud environments.
  • Using the IAM role, the cloud API orchestration layer instantly connects to manage all your existing security groups and instances from the Dome9 console.
  • Additional hardening is included in the product by requiring another set of credentials utilizing the IAM role’s ExternalID.
  • For GovCloud accounts, Dome9 also supports the older approach of creating a new IAM user in the AWS console with a special API access key.

Host Agent Orchestration

The Dome9 SecOps Agent is a tiny, rapidly-deployed agent that runs on any Windows or Linux-based server OS in any infrastructure. Only about 3Mb in size, the agent deploys in under 30 seconds and immediately enforces your security policy.The agent hooks into the server’s operating system to control inbound and outbound policies for the host firewall (Linux IPTables or Windows firewall), as well as policies for file integrity monitoring.

Read more

02-Dome9_Phase2_Diagram-Sequence-2

  • It can be pre-installed as part of any existing server image templates, and pre-configured with the appropriate security policies using a unique pairing key.
  • It communicates securely with the Dome9 SecOps policy automation engine to relay the state of the server and retrieve and enforce security policy.
  • It can also log all successful or unsuccessful firewall connection attempts if desired.
  • All communications are encrypted, and the agent does not open any inbound ports to receive updates.