BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Security and the Cloud

Posted June 8, 2011    Brad Hibbert

When enterprise applications and services migrate from the physical data center, organizations begin to lose visibility and control as the shared infrastructure model of the cloud forces IT to give up their traditional control over the network and system resources. As a result, many organizations and cloud providers will tell you that security continues to be a barrier to cloud adoption in 2011. Though these challenges differ depending on the delivery model – Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS) – ultimately, providers and customers must share visibility, responsibility, and accountability.

In a public IaaS deployment, customers can manage the operating systems and applications, and can implement controls and processes on that level. In these shared implementations, the providers typically implement security layers at the network and hypervisor layers that may include firewalls, encryption, IDS/IPS, VLANS and vulnerability and penetration testing. However, the details of these internal security programs and their output are not always visible to their customers.

Additionally, many times the cloud providers do not provide an O/S or application-level security solution, which of course should include vulnerability and scanning for enterprise images and applications running on their shared, multitenant infrastructure. With respect to vulnerability scanning, the customer must often rely on the claims of the provider with respect to the network and hypervisor layers. Customers must then, assuming that they are permitted, perform their own scanning to assess their O/S and application risks. As such, core security responsibilities, including vulnerability and penetration testing, are more heavily shared between the provider and the customer, which can result in some confusion and “grey areas” when attempting to implement a solid end-to-end security strategy.

Giving these IaaS challenges, many analysts and providers, such as GoGrid, indicate the trend for organizations to adopt the Private Hosted Cloud, as a way to balance security and compliance requirements with the benefits of a managed infrastructure. In a private hosted cloud, the data center is virtualized on dedicated hardware and managed by the cloud provider. Much like the public cloud, the provider manages physical, network and hypervisor security, but is often more willing to make these programs and processes more transparent to the end customer. Some private cloud vendors also allow customers to perform vulnerability and penetration testing directly against the isolated network and systems, which is a critical component in these virtualized environments.

According to Gartner’s Security Monitoring and Assessment for Cloud Environments, “for private cloud environments, organizations should ensure that a preproduction vulnerability and configuration assessment is integrated with the system provisioning process to ensure that the system is patched, does not contain critical vulnerabilities and is configured with the proper security policies. “

In SaaS and PaaS, organizations have limited visibility into the underlying infrastructure and again depend on the provider to properly secure and manage the network and systems. In these deployments, customers rely on the provider’s security claims of scanning, patching, configuration and vulnerabilities.

Regardless of the cloud model deployed, visibility and transparency of the underlying security program will likely continue to drive many cloud discussions in the years to come. eEye looks forward to working with customers, providers, and the community to help overcome these concerns and drive standardization and transparency.

In addition to helping many providers perform internal security scans on a daily basis, eEye also offers Retina Community  to scan at the network, hypervisor, operating system, and application levels and to provide in-depth vulnerability scanning regardless of your deployment scenario. Just remember to verify that your provider allows you to scan your own hosted assets for vulnerabilities before you begin ;).

Leave a Reply

Additional articles

PowerBroker for Unix & Linux helps prevent Shellshock

Posted September 25, 2014    Paul Harper

Like many other people who tinker with UNIX and Linux on a regular basis, BASH has always been my shell of choice.  Dating back to the early days moving from Windows to a non-Windows platform, mapping the keys correctly to allow easy navigation and control helped ensure an explosion of use for the shell. Unfortunately,…

Bash “Shellshock” Vulnerability – Retina Updates

Posted September 24, 2014    BeyondTrust Research Team

A major vulnerability was recently discovered within bash which allows arbitrary command execution via specially crafted environment variables. This is possible due to the fact that bash supports the assignment of shell functions to shell variables. When bash parses environment shell functions, it continues parsing even after the closing brace of the function definition. If…

pbps-blog3

7 Reasons Customers Switch to Password Safe for Privileged Password Management

Posted September 24, 2014    Chris Burd

It’s clear that privileged password management tools are essential for keeping mission-critical data, servers and assets safe and secure. However, as I discussed in my previous post, there are several pitfalls to look out for when deploying a privileged password management solution. At this point, you may be wondering how BeyondTrust stacks up. With that,…

Tags:
, , , , ,