Risk
10/23/2009
06:29 PM
Connect Directly
RSS
E-Mail
50%
50%

Tech Insight: Managing Vulnerability In The Cloud

You can't control everything in the cloud, but you can control your data's exposure in the cloud

There's no question companies are responsible for managing vulnerabilities in their IT infrastructures, but when portions of that infrastructure are located in the cloud, it may not be so straightforward.

How do you manage the vulnerabilities of a server if you don't know where it is or what operating system it's running on? While there are well-known models for managing vulnerabilities in the physical infrastructure world, but many of these same models don't apply to the cloud.

Sam Ramji, vice president of strategy for Sanoa says a new model is precisely what's needed for dealing with vulnerabilities that spans the physical and cloud infrastructures. "It calls for a different model because you're moving from N complexity to N**2 complexity," Ramji says.

One big issue inherent in some cloud computing environments is data access is under the control of automated processes working through APIs, rather than user interfaces under the control of human fingers. "One issue is the accidental DDoS possibility [which] wasn't a huge problem with browsers because you had a human who had to type things in to hit the server," he says. "Now you have programs that have different expectations for the server. They're going through the API and exposing the back-end, and might ask for tens of thousands records to be recalled through one API call. It's a load you might never have anticipated your server receiving."

Managing exposure and locking down sensitive records is why many organizations worry that they can't demonstrate regulatory compliance if data is stored in the cloud. HIPAA, Sarbanes-Oxley, and a variety of financial industry regulations all presume a level of direct record control that can't currently be demonstrated in a cloud deployment. Even when sensitive information is merely traversing the cloud rather than being housed there, regulatory compliance can be an issue.

Ajay Nigam, vice president of product management for Symantec Services Group, says that understanding the outcome required is the critical step in managing vulnerabilities a cloud environment. "Organizations are not interested in where software is running -- they're interested in the outcome. As long as they can achieve some sort of guarantee in terms of desired and measured outcome, they're pleased," he says.

Nigam points out that understanding precisely what services are being delivered through the cloud, and determining whether the best model for providing those services is a public or private cloud, are critical points in determining whether your data is safe and properly managed for compliance in the cloud. Knowing how much exposure your data has in the cloud -- is an entire record exposed, or just a fraction of your data, for instance.

The key to vulnerability management in the cloud is limiting the exposure of your data. It's not that functions can't properly be assigned to Web-based delivery: it's that the way in which those functions are delivered must be carefully defined to recognize the limitations of the cloud model.

If storage servers can't be identified and properly protected, then data can't be stored there. If sensitive data is processed in the cloud, then the transportation of data to and from the processors must be secured in a known and accepted manner. If cloud-computing partners are responsible for the maintenance and security of their platforms, then SLAs must be put into place guaranteeing that those platforms will be properly managed to maintain a secure environment.

Nigam's company, meanwhile, is developing a reference architecture for vulnerability management in the physical, virtual, and cloud environments. If your organization wants to ensure HIPAA compliance, for example, you could use this reference model across all elements of your infrastructure, including any portions that are outsourced to the cloud.

That reflects the difficulty in managing vulnerabilities, which is closely tied to the status and maintenance of system (think patch management). Vulnerability management in the cloud is more about managing those pieces of the infrastructure in which you know the details and identifying pieces of the infrastructure that you don't know about.

You can't control your cloud provider's patching schedule like you can your own in-house. So the key is to control how you expose your data in the cloud -- and the less exposure, the better.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0972
Published: 2014-08-01
The kgsl graphics driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not properly prevent write access to IOMMU context registers, which allows local users to select a custom page table, and consequently write ...

CVE-2014-2627
Published: 2014-08-01
Unspecified vulnerability in HP NonStop NetBatch G06.14 through G06.32.01, H06 through H06.28, and J06 through J06.17.01 allows remote authenticated users to gain privileges for NetBatch job execution via unknown vectors.

CVE-2014-3009
Published: 2014-08-01
The GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.0 through 11.0 and InfoSphere Master Data Management Server for Product Information Management 9.0 and 9.1 does not properly handle FRAME elements, which makes it easier for remote authenticated users to conduct ph...

CVE-2014-3302
Published: 2014-08-01
user.php in Cisco WebEx Meetings Server 1.5(.1.131) and earlier does not properly implement the token timer for authenticated encryption, which allows remote attackers to obtain sensitive information via a crafted URL, aka Bug ID CSCuj81708.

CVE-2014-3534
Published: 2014-08-01
arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to obtain read and write access to kernel memory locations, and consequently gain privileges, via a c...

Best of the Web
Dark Reading Radio