Tuesday, May 28, 2013

Cloud security conversations: Interview with Wolfgang Kandek, CTO at Qualys

While enterprise IT is constantly being pushed by customers who expect demand based cloud services, the cloud security is moving from “mystery and hype” to “secure and move-on". The traditional security solutions are becoming inadequate as customers want to inspect more varied and voluminous data streams in the cloud world today. A well-rounded security intelligence and governance are the key factors to detect advanced threats as we shift from traditional static compute environments to dynamic IT services.

I had a chance to discuss with Wolfgang Kandek, CTO at Qualys, about some of the challenges expressed by our clients and industry experts, and the potential solutions in this space.

Here is a brief bio of Wolfgang:

Wolfgang Kandek is responsible for product direction and all operational aspects of the QualysGuard platform and its infrastructure. Wolfgang has over 20 years of experience in developing and managing information systems. His focus has been on Unix-based server architectures and application delivery through the Internet. He is a frequent speaker at security events and forums including Black Hat, RSA Conference, InfoSecurity UK and The Open Group.

 

Are the security challenges different in context of cloud computing and multi-tenant systems, compared to dedicated or private environments?
The basic security challenges are the same in cloud computing and private environments. In implementing security, cloud computing environments frequently have an advantage. They are often built from the ground up, presenting the opportunity to engineer the necessary security into the environment.

What is your take on hybrid cloud infrastructures and the underlying security protection in case of cloud bursting or applications moving across?
Hybrid cloud infrastructures will be used by many organizations to be able to extend their general computing capacities. The capability of extending the same security controls that are used internally to the hybrid cloud will be an important differentiator for hybrid cloud providers, especially as the cloud computing further matures and becomes a dependable building block for IT architectures.

If we consider security, compliance and governance as 3 different business needs – how dependent are these on one another? Which is the least common denominator and the most important?
Security is a component of compliance and governance. Security should be driven by an understanding of the risks facing IT resources, prioritized by the value, sensitivity, or importance of the IT asset. Compliance is driven by external requirements that the organization must meet, and if these requirements are not met, the organization will face some type of consequence (loss of business, financial penalty etc).  Organizations with mature risk management programs view compliance program requirements as a risk that must be managed. Governance is the overarching program that ensures that the organization is doing what it needs to do to manage risk properly, ensuring appropriate levels of security and meeting compliance requirements.

What are the top vulnerabilities that you commonly see from enterprise applications? Where do things normally go wrong?
Enterprise Applications commonly suffer from three different types of vulnerabilities: type one is caused by programming, and can be fixed by code updates or temporarily remediated by security systems such as IPS and Web Application Firewalls; type two is configuration related, where systems are deployed with non-hardened settings, allowing default passwords and remote system administration without scrutiny; and type three refers to the underlying infrastructure - the operating system and networking.

How important are standardized application deployments, say Application Profiles in Cloud360, to reduce the configuration vulnerabilities? Is this a common source of security vulnerabilities in enterprise applications?
Standardized application deployments can play an enormous role in improving security.  They make it easier to deploy an updated version of the application in question and ensure that the configuration files are in accordance with approved internal standards. This avoids many of the common weaknesses plaguing enterprise applications. Industry reports, such as the Verizon Data Breach Report show the main problems to be configuration related and easily avoded such as default passwords, open admin services and outdated applications.


Very interesting thoughts and continuing on the previous question, what are the common layers in an application stack that we need to consider for guarding? Since hackers usually combine 2 or 3 vulnerabilities to make a penetration – is there any specific recommendation from you?
That is correct, the entire stack can be attacked and often more than one element is involved. So for example, in a SQL injection vulnerability the application is failing to perform the required sanity check on the input, the database access layer allows for dynamic SQL interpretation, and the database is not configured to only return data pertinent to the account in question. To be on top of these weaknesses, it is crucial to have an accurate map of the installed infrastructure, operating systems, network paths and applications, both standard and developed in-house. For example, knowing that a database is directly connected to a web server exposed to the Internet, rather than a database server that is used for an internal application and has no web access at all, helps to prioritize patching and configuration checking.

How critical is to do life-cycle management of virtual infrastructure, to protect from dormant/aged VMs, snapshots and residual data? Is that a common sprawl related problem in the cloud world?
VM sprawl is a common occurrence and can cause security issues. Often machines that are brought up only on demand will miss patch cycles and can be critically out of date even after a few short weeks. Knowing what machines are present in the environment and being able to “predict” vulnerabilities even only with the inventory data is quickly becoming the way to deal with this frequent problem.

What do you try to do differently at Qualys to protect your customers compared to other providers?
Qualys’ main difference is that we bring the vulnerability, configuration and web application audit functionality to our customers as a service. Customers do not have to worry about running the infrastructure necessary to operate this functionality, i.e. hardware, operating systems, databases, signature updates, backups, high-availability, etc., but can instead focus on making best use of the data provided. This is a tremendous advantage for small and medium sized customers, but even our large enterprise customers acknowledge that QualysGuard is extremely fast to implement on a global scale. As long as Internet connectivity is available, the product will work and there is no need to reconfigure enterprise firewalls to assure that all required network connections are possible and in place.

How important is ‘on-demand’ aspect from a security protection viewpoint?
On-demand functionality is important from a business standpoint. It enables us to adapt quickly to new initiatives or unexpected growth. I believe ‘on-demand’ will soon become a requirement for almost all technology related functions, be it in the infrastructure provisioning, security auditing or enterprise application capacity area. 

Given that security protection is an on-going activity, in context of ‘Security is the New Arms Race’, what are your important advises to our enterprise customers?
Overall, exercise control over your infrastructure and be aware of what systems and hardware you are running and their criticality for the business. Often existing tools can provide the data that is necessary to form a complete picture: your user directory, software licensing system, anti-virus consoles and log management system are some of the best initial data sources. Invest in people and develop the capability to pull that data together and produce meaningful reporting and metrics. As you look at new initiatives and include cloud computing into your infrastructure, evaluate the management functionality that the external companies are providing and assure it is adequate for the intended purpose of the system.

I thank Wolfgang on behalf of Cognizant Cloud360 team!

- Ramesh Panuganty.