BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Security and the Cloud

Posted June 8, 2011    Brad Hibbert

When enterprise applications and services migrate from the physical data center, organizations begin to lose visibility and control as the shared infrastructure model of the cloud forces IT to give up their traditional control over the network and system resources. As a result, many organizations and cloud providers will tell you that security continues to be a barrier to cloud adoption in 2011. Though these challenges differ depending on the delivery model – Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS) – ultimately, providers and customers must share visibility, responsibility, and accountability.

In a public IaaS deployment, customers can manage the operating systems and applications, and can implement controls and processes on that level. In these shared implementations, the providers typically implement security layers at the network and hypervisor layers that may include firewalls, encryption, IDS/IPS, VLANS and vulnerability and penetration testing. However, the details of these internal security programs and their output are not always visible to their customers.

Additionally, many times the cloud providers do not provide an O/S or application-level security solution, which of course should include vulnerability and scanning for enterprise images and applications running on their shared, multitenant infrastructure. With respect to vulnerability scanning, the customer must often rely on the claims of the provider with respect to the network and hypervisor layers. Customers must then, assuming that they are permitted, perform their own scanning to assess their O/S and application risks. As such, core security responsibilities, including vulnerability and penetration testing, are more heavily shared between the provider and the customer, which can result in some confusion and “grey areas” when attempting to implement a solid end-to-end security strategy.

Giving these IaaS challenges, many analysts and providers, such as GoGrid, indicate the trend for organizations to adopt the Private Hosted Cloud, as a way to balance security and compliance requirements with the benefits of a managed infrastructure. In a private hosted cloud, the data center is virtualized on dedicated hardware and managed by the cloud provider. Much like the public cloud, the provider manages physical, network and hypervisor security, but is often more willing to make these programs and processes more transparent to the end customer. Some private cloud vendors also allow customers to perform vulnerability and penetration testing directly against the isolated network and systems, which is a critical component in these virtualized environments.

According to Gartner’s Security Monitoring and Assessment for Cloud Environments, “for private cloud environments, organizations should ensure that a preproduction vulnerability and configuration assessment is integrated with the system provisioning process to ensure that the system is patched, does not contain critical vulnerabilities and is configured with the proper security policies. “

In SaaS and PaaS, organizations have limited visibility into the underlying infrastructure and again depend on the provider to properly secure and manage the network and systems. In these deployments, customers rely on the provider’s security claims of scanning, patching, configuration and vulnerabilities.

Regardless of the cloud model deployed, visibility and transparency of the underlying security program will likely continue to drive many cloud discussions in the years to come. eEye looks forward to working with customers, providers, and the community to help overcome these concerns and drive standardization and transparency.

In addition to helping many providers perform internal security scans on a daily basis, eEye also offers Retina Community  to scan at the network, hypervisor, operating system, and application levels and to provide in-depth vulnerability scanning regardless of your deployment scenario. Just remember to verify that your provider allows you to scan your own hosted assets for vulnerabilities before you begin ;).

Leave a Reply

Additional articles

Ponemon_Report

Big Surprise: Cost of Data Breaches Up; Are you Doing the *Right* Things to Mitigate the Costs?

Posted May 28, 2015    Scott Lang

Ponemon Institute Cost of Data Breach Study – costs are going up – to the tune of a 23% increase in total costs of data breaches, and a 12% increase in per-record cost since 2013. Are you doing the right things to mitigate costs?

Tags:
, ,
IRS-Data-Breach

The tip of the IRS data breach – and it IS an iceberg

Posted May 27, 2015    Morey Haber

The IRS has been warned for decades about their security best practices. And now, at least 100,000 Americans have had their records compromised. How? The IRS uses a service called “Get Transcript”.

Tags:
, , ,
dave-shackleford-headshot

Tales from the Datacenter: Vulnerability Management Nightmares

Posted May 27, 2015    Dave Shackleford

Vulnerability scanning, threat management, risk analysis, patching, and configuration management are some of the major activities usually associated with vulnerability management, and none of these are new…so why are we failing so badly at many of them?

Tags:
, ,