Risk
10/23/2009
06:29 PM
50%
50%

Tech Insight: Managing Vulnerability In The Cloud

You can't control everything in the cloud, but you can control your data's exposure in the cloud

There's no question companies are responsible for managing vulnerabilities in their IT infrastructures, but when portions of that infrastructure are located in the cloud, it may not be so straightforward.

How do you manage the vulnerabilities of a server if you don't know where it is or what operating system it's running on? While there are well-known models for managing vulnerabilities in the physical infrastructure world, but many of these same models don't apply to the cloud.

Sam Ramji, vice president of strategy for Sanoa says a new model is precisely what's needed for dealing with vulnerabilities that spans the physical and cloud infrastructures. "It calls for a different model because you're moving from N complexity to N**2 complexity," Ramji says.

One big issue inherent in some cloud computing environments is data access is under the control of automated processes working through APIs, rather than user interfaces under the control of human fingers. "One issue is the accidental DDoS possibility [which] wasn't a huge problem with browsers because you had a human who had to type things in to hit the server," he says. "Now you have programs that have different expectations for the server. They're going through the API and exposing the back-end, and might ask for tens of thousands records to be recalled through one API call. It's a load you might never have anticipated your server receiving."

Managing exposure and locking down sensitive records is why many organizations worry that they can't demonstrate regulatory compliance if data is stored in the cloud. HIPAA, Sarbanes-Oxley, and a variety of financial industry regulations all presume a level of direct record control that can't currently be demonstrated in a cloud deployment. Even when sensitive information is merely traversing the cloud rather than being housed there, regulatory compliance can be an issue.

Ajay Nigam, vice president of product management for Symantec Services Group, says that understanding the outcome required is the critical step in managing vulnerabilities a cloud environment. "Organizations are not interested in where software is running -- they're interested in the outcome. As long as they can achieve some sort of guarantee in terms of desired and measured outcome, they're pleased," he says.

Nigam points out that understanding precisely what services are being delivered through the cloud, and determining whether the best model for providing those services is a public or private cloud, are critical points in determining whether your data is safe and properly managed for compliance in the cloud. Knowing how much exposure your data has in the cloud -- is an entire record exposed, or just a fraction of your data, for instance.

The key to vulnerability management in the cloud is limiting the exposure of your data. It's not that functions can't properly be assigned to Web-based delivery: it's that the way in which those functions are delivered must be carefully defined to recognize the limitations of the cloud model.

If storage servers can't be identified and properly protected, then data can't be stored there. If sensitive data is processed in the cloud, then the transportation of data to and from the processors must be secured in a known and accepted manner. If cloud-computing partners are responsible for the maintenance and security of their platforms, then SLAs must be put into place guaranteeing that those platforms will be properly managed to maintain a secure environment.

Nigam's company, meanwhile, is developing a reference architecture for vulnerability management in the physical, virtual, and cloud environments. If your organization wants to ensure HIPAA compliance, for example, you could use this reference model across all elements of your infrastructure, including any portions that are outsourced to the cloud.

That reflects the difficulty in managing vulnerabilities, which is closely tied to the status and maintenance of system (think patch management). Vulnerability management in the cloud is more about managing those pieces of the infrastructure in which you know the details and identifying pieces of the infrastructure that you don't know about.

You can't control your cloud provider's patching schedule like you can your own in-house. So the key is to control how you expose your data in the cloud -- and the less exposure, the better.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2808
Published: 2015-04-01
The PRNG implementation in the DNS resolver in Bionic in Android before 4.1.1 incorrectly uses time and PID information during the generation of random numbers for query ID values and UDP source ports, which makes it easier for remote attackers to spoof DNS responses by guessing these numbers, a rel...

CVE-2014-9713
Published: 2015-04-01
The default slapd configuration in the Debian openldap package 2.4.23-3 through 2.4.39-1.1 allows remote authenticated users to modify the user's permissions and other user attributes via unspecified vectors.

CVE-2015-0259
Published: 2015-04-01
OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows remote attackers to hijack the authentication of users for access to consoles via a crafted webpage.

CVE-2015-0800
Published: 2015-04-01
The PRNG implementation in the DNS resolver in Mozilla Firefox (aka Fennec) before 37.0 on Android does not properly generate random numbers for query ID values and UDP source ports, which makes it easier for remote attackers to spoof DNS responses by guessing these numbers, a related issue to CVE-2...

CVE-2015-0801
Published: 2015-04-01
Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving anchor navigation, a similar issue to CVE-2015-0818.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.