Cloud is everywhere. Everybody is talking about cloud computing. Some are talking about benefits and some are reiterating security concerns. But the truth is that we are finding it hard to ignore cloud. We just cannot resist it. In fact, if you are not a cloud user today, you will be one tomorrow. You will be using cloud hosting services. There are far too many lucrative benefits to cloud to let go of it.
So whether you are a cloud user today or a future one, there is one important aspect that you should pay attention to – vulnerability management.
We all know that cloud is fraught with security risks. We also know why these risks prevail. And what makes it worse is the fact that cloud is still evolving. We still understand cloud only at the surface level. We have only seen the tip of this iceberg called cloud application development and hosting. But we can certainly make our way past this iceberg with proper vulnerability management.
Vulnerability management is a process of identifying, classifying, remediating, and mitigating vulnerabilities in your hosting environment. But clouds are multi-tenant in character. More than one applications share one cloud. And you won’t own all these applications. In public clouds, you will have other enterprises as well sharing cloud space with you. So just scanning your hosting environment is not enough in cloud. You also have to scan other aspects like network, agent, and network traffic.
So let’s see how to go about managing vulnerabilities in a cloud environment.
Establish Policies in Place
The first place to start would be to establish a cloud usage policy. Treat cloud like any other hosting environment. Have proper policies and procedures in place for cloud. These policies should define what assessment techniques or methods will be used for identifying vulnerabilities.
And just formulating policies is not enough. You also have to make sure that they are complied with. How you draw out compliance for these policies will depend on your enterprise culture. You can enforce these policies on your people or they can embrace them. Whatever way you do it, compliance is critical.
Scan to Identify Vulnerabilities
With your policies firmly in place, the next step is to identify the vulnerabilities. How do you do it? By scanning! So then do you scan only your hosting environment? The answer is we begin with the environment and then move onto other aspects like devices, database, applications, users, etc. The ideal scanning technique is to use three different types of scanners:
- Network Scanner: Like done traditionally, you scan your network for vulnerabilities.
- Agent Scanner: Use this scanner for devices that do not allow the traditional network based scanning for vulnerability assessment.
- Traffic Analyzer: Use tools to sniff packet content and identify vulnerabilities in traffic.
If you are a cloud provider then make sure that you account for the following assets.
- SaaS Model: Scan operating systems, hardware, network infrastructure, access management applications, instance resources, upgrades, and patches.
- PaaS Model: Scan operating systems, hardware, network infrastructure, instance resources.
- IaaS Model: Scan your whole infrastructure including operating systems, hardware, network, and virtual machines.
The most common vulnerabilities found in cloud are related to insecure cryptography, virtual machine escape, data protection and portability, session riding and hijacking, vendor lock-in, and internet dependency.
Prioritize the Vulnerabilities
Once you have your vulnerabilities identified the next logical step is to assign weightage to them. You might have more than one threat on hand. Addressing them all at one time is not going to help. So first assess the seriousness of each threat and then assign priorities. There would be some threats that can affect your core business operations. They can hurt your database and valuable business information. These should have highest priority. Vulnerabilities that will leave just a glitch can be taken up at a later stage.
Now that you have set priorities to the vulnerabilities you can start mitigating them. Take up vulnerabilities with highest priority first. Try to limit the exposure of valuable business data. You have vulnerability management vendors like McAfee, Lumension, Rapid7, nCircle, etc providing solutions for risk mitigation. There are several virtual patching solutions available in the market to block attempts at exploiting web vulnerabilities. A database firewall can provide a virtual patch for unpatched vulnerabilities in database software.
Maintain & Monitor Vulnerabilities
This is the last step in your vulnerability management process. Once you have patched up the cloud risks you need to make sure that they don’t reemerge. There are some cloud risks that grow and evolve with time. It is possible that the patch that you apply today may not be sufficient tomorrow. You might need to apply an advanced or upgraded patch. So keep your eyes open to see that none of your mitigated risks emerge again.
A good vulnerability management system shall validate your regulatory and policy compliance. You can better visualize, measure, and control risks associated with cloud. So stay vigilant and stay up-to-date in cloud.