BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Security and the Cloud

Posted June 8, 2011    Brad Hibbert

When enterprise applications and services migrate from the physical data center, organizations begin to lose visibility and control as the shared infrastructure model of the cloud forces IT to give up their traditional control over the network and system resources. As a result, many organizations and cloud providers will tell you that security continues to be a barrier to cloud adoption in 2011. Though these challenges differ depending on the delivery model – Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS) – ultimately, providers and customers must share visibility, responsibility, and accountability.

In a public IaaS deployment, customers can manage the operating systems and applications, and can implement controls and processes on that level. In these shared implementations, the providers typically implement security layers at the network and hypervisor layers that may include firewalls, encryption, IDS/IPS, VLANS and vulnerability and penetration testing. However, the details of these internal security programs and their output are not always visible to their customers.

Additionally, many times the cloud providers do not provide an O/S or application-level security solution, which of course should include vulnerability and scanning for enterprise images and applications running on their shared, multitenant infrastructure. With respect to vulnerability scanning, the customer must often rely on the claims of the provider with respect to the network and hypervisor layers. Customers must then, assuming that they are permitted, perform their own scanning to assess their O/S and application risks. As such, core security responsibilities, including vulnerability and penetration testing, are more heavily shared between the provider and the customer, which can result in some confusion and “grey areas” when attempting to implement a solid end-to-end security strategy.

Giving these IaaS challenges, many analysts and providers, such as GoGrid, indicate the trend for organizations to adopt the Private Hosted Cloud, as a way to balance security and compliance requirements with the benefits of a managed infrastructure. In a private hosted cloud, the data center is virtualized on dedicated hardware and managed by the cloud provider. Much like the public cloud, the provider manages physical, network and hypervisor security, but is often more willing to make these programs and processes more transparent to the end customer. Some private cloud vendors also allow customers to perform vulnerability and penetration testing directly against the isolated network and systems, which is a critical component in these virtualized environments.

According to Gartner’s Security Monitoring and Assessment for Cloud Environments, “for private cloud environments, organizations should ensure that a preproduction vulnerability and configuration assessment is integrated with the system provisioning process to ensure that the system is patched, does not contain critical vulnerabilities and is configured with the proper security policies. “

In SaaS and PaaS, organizations have limited visibility into the underlying infrastructure and again depend on the provider to properly secure and manage the network and systems. In these deployments, customers rely on the provider’s security claims of scanning, patching, configuration and vulnerabilities.

Regardless of the cloud model deployed, visibility and transparency of the underlying security program will likely continue to drive many cloud discussions in the years to come. eEye looks forward to working with customers, providers, and the community to help overcome these concerns and drive standardization and transparency.

In addition to helping many providers perform internal security scans on a daily basis, eEye also offers Retina Community  to scan at the network, hypervisor, operating system, and application levels and to provide in-depth vulnerability scanning regardless of your deployment scenario. Just remember to verify that your provider allows you to scan your own hosted assets for vulnerabilities before you begin ;).

Leave a Reply

Additional articles

Are Your Data Security Efforts Focused in the Right Area?

Posted January 28, 2015    Scott Lang

Vormetric Data Security recently released an insider threat report, with research conducted by HarrisPoll and analyzed by Ovum. Based on the survey responses, it is apparent that there is still a great deal of insecurity over data. However, the results also show that there may be misplaced investments to address those insecurities. I will explain…

Tags:
ghost

GHOST Vulnerability…Scary Indeed

Posted January 28, 2015    BeyondTrust Research Team

A vulnerability discovered by Qualys security researchers has surfaced within the GNU C Library that affects virtually all Linux operating systems. The vulnerability lies within the various gethostbyname*() functions and, as such, has been dubbed “GHOST.” GHOST is particularly nasty considering remote, arbitrary code execution can be achieved. In an effort to avoid taxing DNS lookups, glibc developers introduced…

Tags:
,
dave-shackleford-headshot

Your New Years Resolution: Controlling Privileged Users

Posted January 27, 2015    Dave Shackleford

Is 2015 the year you get a better handle on security? The news last year was grim – so much so, in fact, that many in the information security community despaired a bit. Really, the end-of-the-year infosec cocktail parties were a bit glum. OK, let’s be honest, infosec cocktail parties are usually not that wild…

Tags:
, , ,