​Embracing the Cloud for Vulnerability Management

by Dick Bussiere, Technical Director, APAC, Tenable Network Security

Over the past several years, organisations of all sizes have begun to realise the benefits of cloud computing models such as Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). The benefits are manifold and include lower cost, increased availability, simplified infrastructure requirements, and the ability to quickly grow and shrink the compute capability as and when required.

Perhaps the biggest motivation driving the adoption of the various cloud models is financial. With the cloud model, the requirement for expensive real-estate, cooling, power, and security evaporates and becomes the cloud service provider’s problem. Hardware, such as networking infrastructure and servers, also vanish from the enterprise perspective when the cloud is employed. With cloud, the enterprise can apply its focus and money to the application rather than on the peripheral support infrastructure, lowering cost and improving the deployment of human resource.

Another motivation for the migration to cloud is elasticity. Additional resources can be spun up instantly, and likewise deleted when no longer required, with no residual cost. So, for example, when an airline needs to deal with a surge on their reservation website due to the Christmas holiday, extra capacity can be added with the click of a mouse, instantly, and without needing to procure hardware. This same capacity can then be deleted with a click of the same mouse once the surge is over.

The Benefits of Cloud Based Vulnerability Management

Cloud based vulnerability management platforms have similar benefits to any other cloud based infrastructure – the reduction of capital investment, personnel cost and the increase of dynamic flexibility. Any security solution must be able to scale with the business, in terms of size, geography and adaptability to trends such as cloud and hybrid networking. A cloud based security solution does just this.

Cloud based vulnerability management lends itself very well to helping to secure today's diverse and geographically distributed enterprise. One of the key benefits of a cloud based security solution is that, by its very nature, it is everywhere. This means that every single location of the enterprise can be connected to the security cloud with little effort. This eliminates the complexity of using an on-premises solution to monitor cloud assets.

Operational efficiencies are enhanced, as a cloud vulnerability management solution can be accessed by any authorized user, at any time, from any place. This facilitates enhanced collaboration and a distributed workforce model. People who, in the past, were unable to participate in the vulnerability management process can now easily do so, as information is readily shared.

Cost is reduced since the need for the enterprise to maintain on-premises hardware and software capability is reduced. Also, unlike traditional on-premises security solutions, cloud security solutions can easily and transparently scale as big as is required - and this scaling takes place only when need be. Maintenance efforts for the security platform are also reduced, since the cloud provider assumes this significant responsibility.

Things to Think About when Considering Cloud Vulnerability Management

While cloud vulnerability management platforms offer significant advantages to organisations, there are issues that may be of concern to some enterprises.

First, there is the issue of trust. Organisations must be comfortable with the fact that they are relinquishing control of their security infrastructure to a third party. They also need to be comfortable with the fact that their security data is being stored in the cloud by that same third party. And, they must address the matter of data sovereignty - is the security solution and the stored data physically present in the same country as the enterprise, and are there any laws regulating this concern?

These issues are mitigated by the fact that the vendors have invested large amounts in their underlying technology and in the security professionals managing their infrastructures. In fact, in most cases, the cloud provider has superior security personnel and infrastructure to what most enterprises could even afford. These issues are further mitigated by cloud security certifications that the provider should have. If data sovereignty is a concern then the provider must be consulted to see where the data repositories are physically located, and whether or not any regulations in country apply.

Another issue is the solution’s ability to cope with the dynamism of most cloud environments. An organisation may be creating and bringing down virtual machines on cloud platforms and shifting data between them. The vulnerability tools being used must be able to deal with this constantly changing landscape quickly and automatically.

Choosing the Right Cloud Vulnerability Management Vendor

Once the decision has been made to adopt a cloud vulnerability management service, there are important questions that should be asked of prospective vendors.

One is whether their platform has appropriate certifications. This is a way for the provider to prove that they are compliant with industry best practices for managing and securing customers’ infrastructures.

It's also important to ask about the vendor's internal security processes and personnel. Determine what team they have in place, their patching policies, and how they have responded to any incidents that may have occurred.

Public-sector agencies such as the Australian Signals Directorate (ASD) provide solid guidance in this area. The ASD has published detailed guides that help an organisation to ensure it is covering all the bases when establishing effective security in the cloud.

The cloud is an exciting place to be for most enterprises, as there are clear advantages both from a financial and operational perspective. That said, careful investigation relating to the applicability of a cloud vulnerability management solution for a given use case and to the operational practices of any provider are essential to carry out before making the transition.