This is about “clouds”, so everybody must read it Specifically, this was inspired by this insightful LinkedIn discussion about large-scale vulnerability management where many notable VA/VM personalities chimed in (BTW, note the reference to “the egg laying milk-wool pig” there… if you have to). In this post, I wanted to share a few quick thoughts about vulnerability assessment IN the cloud and FOR the cloud – all inspired by that discussion.
First, do you HAVE TO have a SaaS (a particular case of cloud computing delivery as per S/P/I model) solution to perform large scale vulnerability scanning, say over 100,000 IPs on a regular basis? Probably not, as there are quite a few large scale vulnerability assessment tool deployments using traditional software or appliance (or virtual appliance) model. Some people think that managing and tuning their own scalable (… which is a big deal!) scanning infrastructure is too much work, while others won’t to trust anybody else to do it for them. Today market offers plenty of choices for either side of this debate, and I don’t feel that it is appropriate for us to take sides.
However, what seem to matter more than the form factor is whether the tool evolved in just such large environments. In other words, the theme that seems to emerge in my research is that vendor’s multiyear experience with successful scanning of large environments seem to matter more than the form factor (BTW, contrary to my initial opinion). For example, a well-designed and battle-hardened remote component management of your chosen VA software tool will make your distributed vulnerability assessment much less painful, even without dipping into the mystical power of The Cloud…
Second, it seems like vulnerability management FOR the cloud is going to be trickier than we thought. If “scan ban” – a prohibition from a public cloud provider to scan assets from outside of their network – is in effect, most currently popular assessment choices fall flat, especially for large cloud (IaaS, in this case) asset populations. I am sorry, but people who say that “we just scan those public cloud assets like nothing changed” are not thinking of thousands of transient systems spread across multiple providers, managed by different teams, shielded by a lot of unknown ACLs, etc. Cloud is NOT co-location circa 2011!!
What are possible solutions that will be needed in the next 2-3 years? It sure seems like the scanning agents will make a come back. They will likely be joined by their “younger brothers” – transient or dissolvable agents. In-cloud scanner instances will likely be utilized as well, scanning only the cloud assets in their immediate vicinity. Who knows, maybe even passive scanning will come handy. On top of this, security assessment using various cloud provider APIs the likely become a reality as well; think of this as scanning offline virtual machine images, but inside the IaaS. My guess is that there will be no single standard way of doing it for the foreseeable future. Now, I plan to cover these and other fun issues in my upcoming report on vulnerability assessment technology, to come out in Q1 2012. And if I say more here, I feel I’d run afoul of our freshly updated policy, so I’d stop here
Previous vulnerability management related posts are:
- On Scanning “New” Environments that covers scanning virtual, cloud, mobile and other unusual and emerging IT environments
- On Vulnerability Prioritization and Scoring that talks about prioritizing the vulnerabilities for remediation
- On LARGE Scale Vulnerability Management that asks a few useful questions about large deployments.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.