While enterprise IT is constantly being pushed by customers who expect demand based cloud services, the cloud security is moving from “mystery and hype” to “secure and move-on". The traditional security solutions are becoming inadequate as customers want to inspect more varied and voluminous data streams in the cloud world today. A well-rounded security intelligence and governance are the key factors to detect advanced threats as we shift from traditional static compute environments to dynamic IT services.
I had a chance to discuss with Wolfgang Kandek, CTO at Qualys, about some of the challenges expressed by our clients and industry experts, and the potential solutions in this space.
Here is a brief bio of Wolfgang:
Wolfgang Kandek is responsible for product direction and all operational aspects of the QualysGuard platform and its infrastructure. Wolfgang has over 20 years of experience in developing and managing information systems. His focus has been on Unix-based server architectures and application delivery through the Internet. He is a frequent speaker at security events and forums including Black Hat, RSA Conference, InfoSecurity UK and The Open Group.
Are the security challenges different in context of cloud computing and multi-tenant systems, compared to dedicated or private environments?
The basic security challenges are the same in cloud computing and private environments. In implementing security, cloud computing environments frequently have an advantage. They are often built from the ground up, presenting the opportunity to engineer the necessary security into the environment.
What is your take on hybrid cloud
infrastructures and the underlying security protection in case of cloud
bursting or applications moving across?
Hybrid cloud infrastructures
will be used by many organizations to be able to extend their general computing
capacities. The capability of extending the same security controls that are
used internally to the hybrid cloud will be an important differentiator for
hybrid cloud providers, especially as the cloud computing further matures and
becomes a dependable building block for IT architectures.
If we consider security, compliance and
governance as 3 different business needs – how dependent are these on one
another? Which is the least common denominator and the most important?
Security is a component of
compliance and governance. Security should be driven by an understanding of the
risks facing IT resources, prioritized by the value, sensitivity, or importance
of the IT asset. Compliance is driven by external requirements that the
organization must meet, and if these requirements are not met, the organization
will face some type of consequence (loss of business, financial penalty etc).
Organizations with mature risk management programs view compliance
program requirements as a risk that must be managed. Governance is the
overarching program that ensures that the organization is doing what it needs
to do to manage risk properly, ensuring appropriate levels of security and
meeting compliance requirements.
What are the top vulnerabilities that you
commonly see from enterprise applications? Where do things normally go wrong?
Enterprise Applications
commonly suffer from three different types of vulnerabilities: type one is
caused by programming, and can be fixed by code updates or temporarily
remediated by security systems such as IPS and Web Application Firewalls; type
two is configuration related, where systems are deployed with non-hardened
settings, allowing default passwords and remote system administration without
scrutiny; and type three refers to the underlying infrastructure - the
operating system and networking.
How important are standardized application
deployments, say Application Profiles in Cloud360, to reduce the configuration
vulnerabilities? Is this a common source of security vulnerabilities in
enterprise applications?
Standardized application
deployments can play an enormous role in improving security. They make it
easier to deploy an updated version of the application in question and ensure
that the configuration files are in accordance with approved internal
standards. This avoids many of the common weaknesses plaguing enterprise
applications. Industry reports, such as the Verizon Data Breach Report show the
main problems to be configuration related and easily avoded such as default
passwords, open admin services and outdated applications.
Very interesting thoughts and continuing on
the previous question, what are the common layers in an application stack that
we need to consider for guarding? Since
hackers usually combine 2 or 3 vulnerabilities to make a penetration – is there
any specific recommendation from you?
That is correct, the entire
stack can be attacked and often more than one element is involved. So for
example, in a SQL injection vulnerability the application is failing to perform
the required sanity check on the input, the database access layer allows for
dynamic SQL interpretation, and the database is not configured to only return
data pertinent to the account in question. To be on top of these weaknesses, it
is crucial to have an accurate map of the installed infrastructure, operating
systems, network paths and applications, both standard and developed in-house.
For example, knowing that a database is directly connected to a web server
exposed to the Internet, rather than a database server that is used for an
internal application and has no web access at all, helps to prioritize patching
and configuration checking.
How critical is to do life-cycle management
of virtual infrastructure, to protect from dormant/aged VMs, snapshots and
residual data? Is that a common sprawl related problem in the cloud world?
VM sprawl is a common
occurrence and can cause security issues. Often machines that are brought up
only on demand will miss patch cycles and can be critically out of date even
after a few short weeks. Knowing what machines are present in the environment
and being able to “predict” vulnerabilities even only with the inventory data
is quickly becoming the way to deal with this frequent problem.
What do you try to do differently at Qualys
to protect your customers compared to other providers?
Qualys’ main difference is
that we bring the vulnerability, configuration and web application audit
functionality to our customers as a service. Customers do not have to worry
about running the infrastructure necessary to operate this functionality, i.e.
hardware, operating systems, databases, signature updates, backups,
high-availability, etc., but can instead focus on making best use of the data
provided. This is a tremendous advantage for small and medium sized customers,
but even our large enterprise customers acknowledge that QualysGuard is
extremely fast to implement on a global scale. As long as Internet connectivity
is available, the product will work and there is no need to reconfigure
enterprise firewalls to assure that all required network connections are
possible and in place.
How important is ‘on-demand’ aspect from a
security protection viewpoint?
On-demand functionality is important from a business
standpoint. It enables us to adapt quickly to new initiatives or unexpected
growth. I believe ‘on-demand’ will soon become a requirement for almost all
technology related functions, be it in the infrastructure provisioning,
security auditing or enterprise application capacity area.
Given that security protection is an on-going activity, in context
of ‘Security is the New Arms Race’, what are your important advises to our
enterprise customers?
Overall,
exercise control over your infrastructure and be aware of what systems and
hardware you are running and their criticality for the business. Often existing
tools can provide the data that is necessary to form a complete picture: your
user directory, software licensing system, anti-virus consoles and log
management system are some of the best initial data sources. Invest in people
and develop the capability to pull that data together and produce meaningful
reporting and metrics. As you look at new initiatives and include cloud
computing into your infrastructure, evaluate the management functionality that
the external companies are providing and assure it is adequate for the intended
purpose of the system.
What is your take on hybrid cloud infrastructures and the underlying security protection in case of cloud bursting or applications moving across?
On-demand functionality is important from a business standpoint. It enables us to adapt quickly to new initiatives or unexpected growth. I believe ‘on-demand’ will soon become a requirement for almost all technology related functions, be it in the infrastructure provisioning, security auditing or enterprise application capacity area.
