Vulnerabilities In The Cloud
As you move to the cloud, what happens to vulnerabilities? Depending on your implementation model and stage of modernization, it could be “a bit” better to “traditional vulnerabilities are gone” better. Overall, though, your risk perspective of vulnerabilities is better in the cloud, so make the move and enjoy the security benefits!
Vulnerabilities Do Not Disappear When Moving to the Cloud
As many companies are moving to the cloud, the ownership of vulnerabilities is affected much the same way that responsibilities of operations and ownership changes. The responsibility model shown in Figure 1 demonstrates the differences between where your data center happens to be, on-premise in your own data center, using Infrastructureas-a-Service in a managed data center or the public cloud, using Platform-as-a-Service for serverless functions and capabilities, or Software-as-a-Service where everything is done for you. Vulnerabilities can be found and must be remediated in everything you are responsible for and manage.
Methods to the Madness
Essentially, there are two ways to “move” to the cloud. How you move to the cloud impacts your vulnerability environment including the tools and processes to manage vulnerabilities.
The quickest approach is to move your existing data center systems from a physical/virtual environment to the public cloud infrastructure provider. Some companies will move all their legacy data center systems in a “Lift and Shift” approach.
Another longer approach in the migration is the hybrid method. Lift and Shift is massively impactful to all the data center assets, applications, and teams at once. The hybrid approach allows an organization to decide what moves, when it moves, and how it ends up in the cloud. Most companies follow this method and never completely eliminate their on-premise data center assets.
Lift and Shift Approach Doesn’t Promote Vulnerability Elimination
Moving to the cloud with older, traditional legacy operating systems is the easiest way to Lift and Shift. Vulnerabilities don’t change here at the server level, but they might be reduced at the infrastructure layer when networking, storage, and bare-metal servers are managed by someone else.Make sure you have strong contracts and you read the SOC2 in detail to verify strong security, including patching, with the provider. With a bit more effort, some companies will remove all the legacy systems and put all their existing applications on updated and patched operating systems. This approach will eliminate the standing risk, but the key issue with vulnerabilities is the ongoing system and vulnerability lifecycle management to maintain reduced risk. If you didn’t have a strong patch management process prior to moving your systems to IaaS, you will just end up moving your security problems to a different space on the chess board. As companies mature in their IaaS approach, Blue/Green servers will help address patching process risks. When servers are in a Blue/Green mode, a baseline server is patched and has vulnerabilities remediated so that it can be a Golden Image for all servers to use. These servers are rebuilt frequently using Infrastructure-as-Code to create a new pool of vulnerability-free server infrastructure that is swapped in to replace the existing servers in that workload. There are no downtime requirements and customer impacts to patch and reboot systems!
"The quickest approach is to move your existing data center systems from a physical/virtual environment to the public cloud infrastructure provider"
When workloads mature through application modernization, the traditional legacy vulnerability landscape disappears in the PaaS model. No longer do you need to patch Windows or Linux servers operating systems or middleware components. Great! However, that doesn’t eliminate vulnerabilities and the threat perspective from attackers. Using a more Agile or DevOps vocabulary, vulnerability management is shifted-left. What is more important now is the configuration and management of services and the interfaces into those services. In the serverless environment, APIs are the new digital currency and protecting them from vulnerabilities due to poor configuration or operations is critical. To reduce the risk of vulnerabilities in serverless environments, using new tools in security and configuration compliance under the Cloud Management Platform and API Management solutions spaces.
Another way exploitable vulnerabilities are shifted-left is related to the supply chain for 3rd party code and libraries. Using tools to verify code provenance and code security is important to reduce the possibilities of code vulnerabilities or injected malware from affecting your organization.
Eliminate Servers and Provide
Data Protection When a company decides to use a cloud SaaS provider, protecting the infrastructure behind the scenes and managing the application is the cloud SaaS provider’s responsibility. Traditional vulnerabilities detected by vulnerability scanners do not apply in this case. In this environment, identities and access management is the key and is still the customer’s responsibility. The traditional Cloud Access Security Broker solution space can provide additional identity, authorization, access control, and data transfer protection mechanisms.
Vulnerabilities in the Cloud Provider Infrastructure
Significant vulnerabilities in the cloud infrastructure of cloud providers happens very infrequently. Also, the big cloud infrastructure providers are mature and quick in patching their infrastructure. As you are probably aware, cloud infrastructure platforms involve a number of software and hardware components behind the scenes, some custom and some common-off-theshelf. Adversaries who are able to determine the software or hardware used in a cloud architecture could take advantage of known vulnerabilities and elevate privileges or access data across tenants in the cloud. Security researchers have demonstrated possibilities in this area, but exploitability is difficult. Unless you have highly sensitive workloads or government/ military focused purpose, ensuring potential vulnerabilities in these areas is not high risk and priority today Just Do It Most approaches to moving to the cloud will consequentially reduce overall vulnerabilities in your environment. As shown in Figure 2, the further down the stack, the fewer possible vulnerabilities that may impact your organization. If you have been struggling in the grind to identify and patch all vulnerabilities in your systems, moving to the cloud can help minimize the number, the exploitability, and the potential consequences of vulnerabilities. Make the move!