Gartner Blog Network


On Vulnerability Management and Clouds

by Anton Chuvakin  |  November 14, 2011  |  2 Comments

This is about “clouds”, so everybody must read it Smile  Specifically, this was inspired by this insightful LinkedIn discussion about large-scale vulnerability management where many notable VA/VM personalities chimed in (BTW, note the reference to “the egg laying milk-wool pig” there… if you have to). In this post, I wanted to share a few quick thoughts  about vulnerability assessment IN the cloud and FOR the cloud – all inspired by that discussion.

First, do you HAVE TO have a SaaS (a particular case of cloud computing delivery as per S/P/I model) solution to perform large scale vulnerability scanning, say over 100,000 IPs on a regular basis?  Probably not, as there are quite a few large scale vulnerability assessment tool deployments using traditional software  or appliance (or virtual appliance) model.  Some people think that managing and tuning their own scalable (… which is a big deal!) scanning infrastructure is too much work, while others won’t to trust anybody else to do it for them. Today market offers plenty of choices for either side of this debate, and I don’t feel that it is appropriate for us  to take sides.

However, what seem to matter more than the form factor is whether the tool evolved in just such large environments.  In other words, the theme that seems to emerge in my research is that vendor’s multiyear experience with successful scanning of large environments seem to matter more than the form factor (BTW, contrary to my initial opinion). For example, a well-designed and battle-hardened remote component management of your chosen VA software tool will make your distributed vulnerability assessment much less painful, even without dipping into the mystical power of The Cloud…

Second, it seems like vulnerability management FOR the cloud is going to be trickier than we thought. If “scan ban” – a prohibition from a public cloud provider to scan assets from outside of their network – is in effect, most currently popular assessment choices fall flat, especially for large cloud (IaaS, in this case) asset populations. I am sorry, but people who say that “we just scan those public cloud assets like nothing changed” are not thinking of thousands of transient systems spread across multiple providers, managed by different teams, shielded by a lot of unknown ACLs, etc. Cloud is NOT co-location circa 2011!! 

What are possible solutions that will be needed in the next 2-3 years? It sure seems like the scanning agents will make a come back. They will likely be joined by their “younger brothers” – transient or dissolvable agents. In-cloud scanner instances will likely be utilized as well, scanning only the cloud assets in their immediate vicinity. Who knows, maybe even passive scanning will come handy. On top of this, security assessment using various cloud provider APIs the likely become a reality as well; think of this as scanning offline virtual machine images, but inside the IaaS. My guess is that there will be no single standard way of doing it for the foreseeable future. Now, I plan to cover these and other fun issues in my upcoming report on vulnerability assessment technology, to come out in Q1 2012. And if I say more here, I feel I’d run afoul of our freshly updated policy, so I’d stop here Smile

Previous vulnerability management related posts are:

  1. On Scanning “New” Environments that covers scanning virtual, cloud, mobile and other unusual and emerging IT environments
  2. On Vulnerability Prioritization and Scoring that talks about prioritizing the vulnerabilities for remediation
  3. On LARGE Scale Vulnerability Management that asks a few useful questions about large deployments.

Additional Resources

Category: security  vulnerability-management  

Tags: security  vulnerability-assessment  vulnerability-management  

Anton Chuvakin
Research VP and Distinguished Analyst
8 years with Gartner
19 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on On Vulnerability Management and Clouds


  1. ArkanoiD says:

    Nessus is fast.

    Really fast. 10K hosts in just a few hours means you may build a distributed scanning system where just 10 scanning agents will server 100K hosts, yes, in the same few hours. It is real blessing after my futile attempts to tame OpenVAS.

    What is missing is that I’d like to perform local checks on virtual environments using parent host credentials.

  2. Thanks for the comment. How about 100k host scan data analysis? Scanning , as you wisely point out :-), is easy and fast. Figuring out what to fix on 100k hosts? Mmmmm…not so much.

    Local VM checks on dormant VMs would be cool indeed…..



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.