Again: Who’s Responsible for Vulnerability Management in the Cloud?
By Shawna McAlearney
The debate about who is responsible for security in the cloud, ongoing since the earliest days of cloud computing, has now been tested, thanks to Spectre and Meltdown. Users may not like the answers they are getting from their cloud providers.
The new year ushered in not just one but two incredibly serious hardware vulnerabilities that posed both an immediate threat and long-term implications to cloud computing. These vulnerabilities, resident in many different vendors’ processors and operating systems, could be used to compromise most computer chips to read sensitive information stored in a computer’s memory, including account numbers and passwords.
To exploit these issues is complicated and far more difficult than phishing or code-injection attacks, so it is unlikely to be an attacker’s first method of choice to steal sensitive data. Proof of concept has been released, but no exploits yet have been discovered.
Vendors rushed to issue patches, but one of the foremost current concerns is that patched operating systems can cause significant slowdowns — in some cases up to 30 percent for Windows and Linux platforms. The attacks exploit a “feature” in the design of the hardware itself that is used to enhance performance.
Another concern is that in the case of Spectre and Meltdown, cloud users can’t rely on providers to do all the patching and mitigation. Even if cloud providers have patched their software, their customers must seal their virtual machines and every computing instance that runs on that host.
Who is responsible for vulnerability management in the cloud? It depends on your provider, the services you need and your contract. Generally, it appears that it is the vendor who is responsible for security of the cloud while the customer is responsible for security in the cloud.
“We work in conjunction with our provider to make sure everything is covered and nothing slips through the cracks,” Derrick Butts, CIO of the Truth Initiative, said in a recent (ISC)² Think Tank webcast. “It really goes back to asking the right questions, like: What are you providing us? What are we really getting? And, what do we still have to retain in the way of responsibilities or roles to make sure our data is accessible?”
“We get reports daily, but if there’s an anomaly based on a threshold that we’ve set up, we will get a notice that our performance is degraded by X,” he adds. “We get an alert and an active call from our provider that says this is what took place; this is how we are remedying it; and this is how we’re going to move forward so it doesn’t happen again.”
Butts and other experts suggest you ask your provider (and yourself!) the following questions to make sure all the bases are covered:
- What does the vendor provide in the way of resources and management capabilities?
- Are support staffers credentialed? What is their level of expertise on elements that concern you?
- What does the vendor provide in the way of visibility and access?
- To what extent will the vendor give you feedback on how your data is doing and how it is being used? And what of any vulnerabilities that might take place?
- What exactly is included in your package? What additional services are offered?
- Verify that your vendor can do what they claim and that they have tested it.
- If you have certain security policies and procedures that you’re following for on-premises services, is your service provider aligned with them?
- Consider whether a cloud-specific vendor will be able to expand their oversight so that it will cover the programs that you need managed as you grow.
- When they do a maintenance update, are they informing you that it is taking place? Are they sending you alerts? Are they testing patches before they are sent out? If not, is that something you can live with?
- And last, but by no means least, are they using multi-factor authentication, especially for privileged accounts?
Some cloud users say they are happy to turn over responsibility for things in the cloud under the premise of, “The less I have to manage, the happier I’ll be.” However, experts say that isn’t quite the way it works.
“Even though we’ve moved up to the cloud, we still take an enterprise-holistic approach,” Butts said in the webcast. “In essence, you are really doing more because the vulnerabilities are coming at you a little bit faster, so your teams have to be more readily available to address issues on your end. You aren’t really doing anything less; if anything, you’re stepping up and doing a little bit more, but you can use automation to help you do that.”
In the end, no matter your plan, contracts or provider of choice, it appears the proverbial buck still stops with you and your security team.
“As a CIO and cybersecurity officer, I’m held accountable if these things don’t work,” said Butts. “I’m still on the hook, but now it’s in a place I can’t physically touch.”
Shawna McAlearney is a freelance writer based in Las Vegas.
For more in-depth information on roles and responsibilities when exploits are discovered within cloud services, or to access free tools, please see our webcast, The Hot Potato — Who’s Responsible for Vulnerability Management in the Cloud? It was among the Top 10 (ISC)² Cloud Secure Webinars of 2017.