Cloud Providers Must Share Discovered Vulnerabilities - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Comments
Cloud Providers Must Share Discovered Vulnerabilities
Newest First  |  Oldest First  |  Threaded View
Ed Moyle
100%
0%
Ed Moyle,
User Rank: Apprentice
5/16/2014 | 8:26:36 AM
This is a bigger deal than you might think
So, from a cloud service provider perspective, this is a bigger deal than you might think.  I can tell you that there can be strong internal pressure to not disclose security issues to customers.  That includes explicit vulnerabilities, but also operational issues that prevent security controls from working at full utility (for example, configuration problems, etc.)  In fact, the pressure is strong enough that I used to use it as an interview question when hiring resources.  For example, at the first interview I would ask something like:

"Hypothetical scenario: you discover a configuration issue in a customer's managed IDS instance that prevents it from scanning all relevant traffic.  The customer is heavily regulated, has had a number of support issues recently and has gone on record that one more issue will cause them to take their business elsewhere.  The account management team advises you to not inform the customer until the issue is resolved, which the technical manager says will take 3 months. What's the best course of action?"


If their answer was anything other than some form of "suck it up and immediately inform the customer", I would (politely) end the interview and cross them off the list.  That said, I'm sure that not everyone at every CSP shares that same view.  
Charlie Babcock
100%
0%
Charlie Babcock,
User Rank: Author
5/13/2014 | 3:50:42 PM
Eastablish a central vulnerability reference
The idea of vulnerabilty sharing by cloud providers is a good one and spreads the cost of keeping up with the varous forms of assault. Just as disease outbreaks come to the attention of the Center for Disease Control, so should vulnerabilities be contained through some centralized system of sharing analysis and countermeasures.
WKash
100%
0%
WKash,
User Rank: Author
5/13/2014 | 12:15:17 PM
Re: Feudalism
Stratustician, one compelling aspect of the FedRAMP cloud security authorization program is the role of 3PAOs - third party assessment organizations that providers must hire to assess/audit a service's security practives, processes. And because providers must have their FedRAMP authority renewed annually, there's less room to hide vulnerability incidents.
Stratustician
100%
0%
Stratustician,
User Rank: Ninja
5/13/2014 | 12:04:28 PM
Re: Feudalism
You're right, until the power shifts from the provider being protected by the SLA to the customers who have enough influence to demand more from the service provider, we are still at the mercy of the providers themselves who determine the levels of security that these services entail.  Prior, with managed security, there was more at risk as these providers had to consistenly prove their results, with cloud, there is more room for abstraction when it comes to the security backend and so customers rarely have insight into the real vulnerabilities that exist.  Perhaps this will cause a shift to having providers partner with third-party managed security providers to prove security performance? I really do hope so.
rfoeckl
50%
50%
rfoeckl,
User Rank: Apprentice
5/12/2014 | 8:37:11 PM
Story
Interesting story.
WKash
100%
0%
WKash,
User Rank: Author
5/12/2014 | 2:22:32 PM
Re: Feudalism
One of the big arguments in favor of well-run, established cloud service providers is the notion that customers' data are better protected through a central utility w/ top securitiy teams at the console, then when their data are spread out, and exposed to a wider array of threats, across multiple systems within an agency.   But as cloud providers become more commodity-oriented, and pricing pressures threated to role back some of that extra security expertise, customers may find their only leverage is to band together - in fuedal fashion - with other users to ensure they're getting the protection(s) they're paying for in their SLAs. 
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
5/12/2014 | 5:55:55 AM
Re: Feudalism
Yea, there's been an interesting power shift with the growth of the cloud - which is why many governments are simply building their own. However, I hope with government security fears over unlawful spying or viewing of secretive data, that more politicians will reconsider the way that domestic intelligence agencies have been spying on their own citizens in many countries. 
danielcawrey
100%
0%
danielcawrey,
User Rank: Ninja
5/11/2014 | 1:10:18 PM
Feudalism
I have never thought about this example of cloud feudalism that Schneier describes. But it does in many ways describe the kind of mercy we are at with cloud providers. 

At the savings of paying for costly licenses and infrastructure fees, we are confronted with monthly fees and less control. Many IT shops don't like this. But if they want to, they can use their resources to build their own cloud architecture. The technology is available for those who don't like the feudal model. 


2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Slideshows
10 Top Cloud Computing Startups
Cynthia Harvey, Freelance Journalist, InformationWeek,  8/3/2020
Commentary
Adding Fuel to the MSP vs. In-house IT Debate
Andrew Froehlich, President & Lead Network Architect, West Gate Networks,  8/6/2020
Commentary
How Enterprises Can Adopt Video Game Cloud Strategy
Joao-Pierre S. Ruth, Senior Writer,  7/28/2020
Register for InformationWeek Newsletters
Video
Current Issue
Enterprise Automation: Do More with Less
In this IT Trend Report, we highlight the benefits of automation and the various tools as enterprises navigate turbulent times, try to do more with less, keep their operations running, and stay on track with digital modernizations.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll