BeyondTrust

Security In Context

Bringing you news and commentary on solutions and strategies for protecting your critical IT infrastructure.

Security and the Cloud

Post by Brad Hibbert June 8, 2011

When enterprise applications and services migrate from the physical data center, organizations begin to lose visibility and control as the shared infrastructure model of the cloud forces IT to give up their traditional control over the network and system resources. As a result, many organizations and cloud providers will tell you that security continues to be a barrier to cloud adoption in 2011. Though these challenges differ depending on the delivery model – Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS) – ultimately, providers and customers must share visibility, responsibility, and accountability.

In a public IaaS deployment, customers can manage the operating systems and applications, and can implement controls and processes on that level. In these shared implementations, the providers typically implement security layers at the network and hypervisor layers that may include firewalls, encryption, IDS/IPS, VLANS and vulnerability and penetration testing. However, the details of these internal security programs and their output are not always visible to their customers.

Additionally, many times the cloud providers do not provide an O/S or application-level security solution, which of course should include vulnerability and scanning for enterprise images and applications running on their shared, multitenant infrastructure. With respect to vulnerability scanning, the customer must often rely on the claims of the provider with respect to the network and hypervisor layers. Customers must then, assuming that they are permitted, perform their own scanning to assess their O/S and application risks. As such, core security responsibilities, including vulnerability and penetration testing, are more heavily shared between the provider and the customer, which can result in some confusion and “grey areas” when attempting to implement a solid end-to-end security strategy.

Giving these IaaS challenges, many analysts and providers, such as GoGrid, indicate the trend for organizations to adopt the Private Hosted Cloud, as a way to balance security and compliance requirements with the benefits of a managed infrastructure. In a private hosted cloud, the data center is virtualized on dedicated hardware and managed by the cloud provider. Much like the public cloud, the provider manages physical, network and hypervisor security, but is often more willing to make these programs and processes more transparent to the end customer. Some private cloud vendors also allow customers to perform vulnerability and penetration testing directly against the isolated network and systems, which is a critical component in these virtualized environments.

According to Gartner’s Security Monitoring and Assessment for Cloud Environments, “for private cloud environments, organizations should ensure that a preproduction vulnerability and configuration assessment is integrated with the system provisioning process to ensure that the system is patched, does not contain critical vulnerabilities and is configured with the proper security policies. “

In SaaS and PaaS, organizations have limited visibility into the underlying infrastructure and again depend on the provider to properly secure and manage the network and systems. In these deployments, customers rely on the provider’s security claims of scanning, patching, configuration and vulnerabilities.

Regardless of the cloud model deployed, visibility and transparency of the underlying security program will likely continue to drive many cloud discussions in the years to come. eEye looks forward to working with customers, providers, and the community to help overcome these concerns and drive standardization and transparency.

In addition to helping many providers perform internal security scans on a daily basis, eEye also offers Retina Community  to scan at the network, hypervisor, operating system, and application levels and to provide in-depth vulnerability scanning regardless of your deployment scenario. Just remember to verify that your provider allows you to scan your own hosted assets for vulnerabilities before you begin ;).

Leave a Reply

Additional articles

smart rules manager for vulnerabilities

Staying on Top of the Latest Vulnerabilities with BeyondInsight v5.1

It’s no secret that dozens of new OS and application vulnerabilities are revealed every day. Staying on top of these new exposures normally requires paying for services or subscribing to multiple RSS feeds. BeyondInsight 5.1 provides customers with another option: a built-in, customizable vulnerability alerting system that delivers up-to-date information on the latest vulnerabilities in…

Post by Morey Haber April 21, 2014
Tags:
, , , , , ,
BI-Qualys-Connector-IMG1

Getting More Value from QualysGuard Vulnerability Data with BeyondInsight v5.1

If your vulnerability assessment scans can’t produce meaningful and actionable reports, performing a scan does no good for anyone. If you’ve read my other blog posts, you know I have no qualms about stating that BeyondTrust provides the best vulnerability reporting in the industry. Ask your favorite analyst and they’ll tend to agree. Of course,…

Post by Morey Haber April 18, 2014
Tags:
, , , , , , , ,
insider-threat-fed

Mitigating Inside Threats to U.S. Federal IT Environments

Recent high-profile cases have increased the perceived risks that go along with disclosure and usage of confidential information. One of the most difficult security threats to mitigate is an attack from the inside. When an over-privileged user, such as an unhappy current or former employee, contractor, or consultant, begins navigating your network, how will you…

Post by BeyondTrust Software April 17, 2014
Tags:
, , , , ,