There's no question companies are responsible for managing vulnerabilities in their IT infrastructures, but when portions of that infrastructure are located in the cloud, it may not be so straightforward.

How do you manage the vulnerabilities of a server if you don't know where it is or what operating system it's running on? While there are well-known models for managing vulnerabilities in the physical infrastructure world, but many of these same models don't apply to the cloud.

Sam Ramji, vice president of strategy for Sanoa says a new model is precisely what's needed for dealing with vulnerabilities that spans the physical and cloud infrastructures. "It calls for a different model because you're moving from N complexity to N**2 complexity," Ramji says.

One big issue inherent in some cloud computing environments is data access is under the control of automated processes working through APIs, rather than user interfaces under the control of human fingers. "One issue is the accidental DDoS possibility [which] wasn't a huge problem with browsers because you had a human who had to type things in to hit the server," he says. "Now you have programs that have different expectations for the server. They're going through the API and exposing the back-end, and might ask for tens of thousands records to be recalled through one API call. It's a load you might never have anticipated your server receiving."

Managing exposure and locking down sensitive records is why many organizations worry that they can't demonstrate regulatory compliance if data is stored in the cloud. HIPAA, Sarbanes-Oxley, and a variety of financial industry regulations all presume a level of direct record control that can't currently be demonstrated in a cloud deployment. Even when sensitive information is merely traversing the cloud rather than being housed there, regulatory compliance can be an issue.

Ajay Nigam, vice president of product management for Symantec Services Group, says that understanding the outcome required is the critical step in managing vulnerabilities a cloud environment. "Organizations are not interested in where software is running -- they're interested in the outcome. As long as they can achieve some sort of guarantee in terms of desired and measured outcome, they're pleased," he says.

Nigam points out that understanding precisely what services are being delivered through the cloud, and determining whether the best model for providing those services is a public or private cloud, are critical points in determining whether your data is safe and properly managed for compliance in the cloud. Knowing how much exposure your data has in the cloud -- is an entire record exposed, or just a fraction of your data, for instance.

The key to vulnerability management in the cloud is limiting the exposure of your data. It's not that functions can't properly be assigned to Web-based delivery: it's that the way in which those functions are delivered must be carefully defined to recognize the limitations of the cloud model.

If storage servers can't be identified and properly protected, then data can't be stored there. If sensitive data is processed in the cloud, then the transportation of data to and from the processors must be secured in a known and accepted manner. If cloud-computing partners are responsible for the maintenance and security of their platforms, then SLAs must be put into place guaranteeing that those platforms will be properly managed to maintain a secure environment.

Nigam's company, meanwhile, is developing a reference architecture for vulnerability management in the physical, virtual, and cloud environments. If your organization wants to ensure HIPAA compliance, for example, you could use this reference model across all elements of your infrastructure, including any portions that are outsourced to the cloud.

That reflects the difficulty in managing vulnerabilities, which is closely tied to the status and maintenance of system (think patch management). Vulnerability management in the cloud is more about managing those pieces of the infrastructure in which you know the details and identifying pieces of the infrastructure that you don't know about.

You can't control your cloud provider's patching schedule like you can your own in-house. So the key is to control how you expose your data in the cloud -- and the less exposure, the better.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.