Risk
10/23/2009
06:29 PM
50%
50%

Tech Insight: Managing Vulnerability In The Cloud

You can't control everything in the cloud, but you can control your data's exposure in the cloud

There's no question companies are responsible for managing vulnerabilities in their IT infrastructures, but when portions of that infrastructure are located in the cloud, it may not be so straightforward.

How do you manage the vulnerabilities of a server if you don't know where it is or what operating system it's running on? While there are well-known models for managing vulnerabilities in the physical infrastructure world, but many of these same models don't apply to the cloud.

Sam Ramji, vice president of strategy for Sanoa says a new model is precisely what's needed for dealing with vulnerabilities that spans the physical and cloud infrastructures. "It calls for a different model because you're moving from N complexity to N**2 complexity," Ramji says.

One big issue inherent in some cloud computing environments is data access is under the control of automated processes working through APIs, rather than user interfaces under the control of human fingers. "One issue is the accidental DDoS possibility [which] wasn't a huge problem with browsers because you had a human who had to type things in to hit the server," he says. "Now you have programs that have different expectations for the server. They're going through the API and exposing the back-end, and might ask for tens of thousands records to be recalled through one API call. It's a load you might never have anticipated your server receiving."

Managing exposure and locking down sensitive records is why many organizations worry that they can't demonstrate regulatory compliance if data is stored in the cloud. HIPAA, Sarbanes-Oxley, and a variety of financial industry regulations all presume a level of direct record control that can't currently be demonstrated in a cloud deployment. Even when sensitive information is merely traversing the cloud rather than being housed there, regulatory compliance can be an issue.

Ajay Nigam, vice president of product management for Symantec Services Group, says that understanding the outcome required is the critical step in managing vulnerabilities a cloud environment. "Organizations are not interested in where software is running -- they're interested in the outcome. As long as they can achieve some sort of guarantee in terms of desired and measured outcome, they're pleased," he says.

Nigam points out that understanding precisely what services are being delivered through the cloud, and determining whether the best model for providing those services is a public or private cloud, are critical points in determining whether your data is safe and properly managed for compliance in the cloud. Knowing how much exposure your data has in the cloud -- is an entire record exposed, or just a fraction of your data, for instance.

The key to vulnerability management in the cloud is limiting the exposure of your data. It's not that functions can't properly be assigned to Web-based delivery: it's that the way in which those functions are delivered must be carefully defined to recognize the limitations of the cloud model.

If storage servers can't be identified and properly protected, then data can't be stored there. If sensitive data is processed in the cloud, then the transportation of data to and from the processors must be secured in a known and accepted manner. If cloud-computing partners are responsible for the maintenance and security of their platforms, then SLAs must be put into place guaranteeing that those platforms will be properly managed to maintain a secure environment.

Nigam's company, meanwhile, is developing a reference architecture for vulnerability management in the physical, virtual, and cloud environments. If your organization wants to ensure HIPAA compliance, for example, you could use this reference model across all elements of your infrastructure, including any portions that are outsourced to the cloud.

That reflects the difficulty in managing vulnerabilities, which is closely tied to the status and maintenance of system (think patch management). Vulnerability management in the cloud is more about managing those pieces of the infrastructure in which you know the details and identifying pieces of the infrastructure that you don't know about.

You can't control your cloud provider's patching schedule like you can your own in-house. So the key is to control how you expose your data in the cloud -- and the less exposure, the better.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-2086
Published: 2015-02-26
Cross-site scripting (XSS) vulnerability in the live preview in the Panopoly Magic module before 7.x-1.17 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a pane title.

CVE-2015-2087
Published: 2015-02-26
Unrestricted file upload vulnerability in the Avatar Uploader module before 6.x-1.3 for Drupal allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via unspecified vectors.

CVE-2015-2088
Published: 2015-02-26
Cross-site scripting (XSS) vulnerability in unspecified administration pages in the Term Queue module before 6.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via unknown vectors.

CVE-2015-2089
Published: 2015-02-26
Multiple cross-site request forgery (CSRF) vulnerabilities in the CrossSlide jQuery (crossslide-jquery-plugin-for-wordpress) plugin 2.0.5 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings or conduct cross-site scripting (...

CVE-2015-2090
Published: 2015-02-26
SQL injection vulnerability in the ajax_survey function in settings.php in the WordPress Survey and Poll plugin 1.1.7 for Wordpress allows remote attackers to execute arbitrary SQL commands via the survey_id parameter in an ajax_survey action to wp-admin/admin-ajax.php.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.