Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/23/2009
06:29 PM
50%
50%

Tech Insight: Managing Vulnerability In The Cloud

You can't control everything in the cloud, but you can control your data's exposure in the cloud

There's no question companies are responsible for managing vulnerabilities in their IT infrastructures, but when portions of that infrastructure are located in the cloud, it may not be so straightforward.

How do you manage the vulnerabilities of a server if you don't know where it is or what operating system it's running on? While there are well-known models for managing vulnerabilities in the physical infrastructure world, but many of these same models don't apply to the cloud.

Sam Ramji, vice president of strategy for Sanoa says a new model is precisely what's needed for dealing with vulnerabilities that spans the physical and cloud infrastructures. "It calls for a different model because you're moving from N complexity to N**2 complexity," Ramji says.

One big issue inherent in some cloud computing environments is data access is under the control of automated processes working through APIs, rather than user interfaces under the control of human fingers. "One issue is the accidental DDoS possibility [which] wasn't a huge problem with browsers because you had a human who had to type things in to hit the server," he says. "Now you have programs that have different expectations for the server. They're going through the API and exposing the back-end, and might ask for tens of thousands records to be recalled through one API call. It's a load you might never have anticipated your server receiving."

Managing exposure and locking down sensitive records is why many organizations worry that they can't demonstrate regulatory compliance if data is stored in the cloud. HIPAA, Sarbanes-Oxley, and a variety of financial industry regulations all presume a level of direct record control that can't currently be demonstrated in a cloud deployment. Even when sensitive information is merely traversing the cloud rather than being housed there, regulatory compliance can be an issue.

Ajay Nigam, vice president of product management for Symantec Services Group, says that understanding the outcome required is the critical step in managing vulnerabilities a cloud environment. "Organizations are not interested in where software is running -- they're interested in the outcome. As long as they can achieve some sort of guarantee in terms of desired and measured outcome, they're pleased," he says.

Nigam points out that understanding precisely what services are being delivered through the cloud, and determining whether the best model for providing those services is a public or private cloud, are critical points in determining whether your data is safe and properly managed for compliance in the cloud. Knowing how much exposure your data has in the cloud -- is an entire record exposed, or just a fraction of your data, for instance.

The key to vulnerability management in the cloud is limiting the exposure of your data. It's not that functions can't properly be assigned to Web-based delivery: it's that the way in which those functions are delivered must be carefully defined to recognize the limitations of the cloud model.

If storage servers can't be identified and properly protected, then data can't be stored there. If sensitive data is processed in the cloud, then the transportation of data to and from the processors must be secured in a known and accepted manner. If cloud-computing partners are responsible for the maintenance and security of their platforms, then SLAs must be put into place guaranteeing that those platforms will be properly managed to maintain a secure environment.

Nigam's company, meanwhile, is developing a reference architecture for vulnerability management in the physical, virtual, and cloud environments. If your organization wants to ensure HIPAA compliance, for example, you could use this reference model across all elements of your infrastructure, including any portions that are outsourced to the cloud.

That reflects the difficulty in managing vulnerabilities, which is closely tied to the status and maintenance of system (think patch management). Vulnerability management in the cloud is more about managing those pieces of the infrastructure in which you know the details and identifying pieces of the infrastructure that you don't know about.

You can't control your cloud provider's patching schedule like you can your own in-house. So the key is to control how you expose your data in the cloud -- and the less exposure, the better.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4147
PUBLISHED: 2019-09-16
IBM Sterling File Gateway 2.2.0.0 through 6.0.1.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 158413.
CVE-2019-5481
PUBLISHED: 2019-09-16
Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.
CVE-2019-5482
PUBLISHED: 2019-09-16
Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.
CVE-2019-15741
PUBLISHED: 2019-09-16
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. An unsafe interaction with logrotate could result in a privilege escalation
CVE-2019-16370
PUBLISHED: 2019-09-16
The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.