Cloud and vulnerability management: Avoiding the security stumbling blocks

Security is a big challenge for many businesses. The growth in data breach stories in 2015 proves that companies of all sizes can be successfully attacked. From small organisations like Ashley Madison to big companies such as TalkTalk and the Hilton Hotels chain, there wasn’t a week that went by during the year without the details of a new attack hitting the media.

To some extent, this growing awareness of security has been useful for IT teams. Data breaches cause damage to organisations’ brands and lead to customer attrition. Management is now confronted with information on security from many outside sources and IT security is quickly gaining board level attention. The World Economic Forum released its 2016 report in January and held up lack of IT security as one of the biggest risks to businesses being successful in the future. Cyber-attacks are listed as the number one risk to economic growth for companies – emphasising the need to have a sound IT security strategy.

This focus on security has helped IT teams expand their investments in security technologies. Gartner has recorded an increase in spending around IT security worldwide of around 4.7 per cent, with $75.4 billion allotted to existing and new products that can help keep company data and assets secure.

However, in Europe, the market is being affected by the value of the dollar. With many security companies being based in the US, the rise of this currency has added up to price rises on security technology of up to 20 per cent. Just as awareness is growing and money is being made available to IT, the sheer cost of acquiring this technology is putting projects in jeopardy.

This is accelerating an already present effect: IT is looking for alternative options to the traditional capital expense-heavy approach that on-premises products have attached to them. Software as a Service tools fit the bill here as one can start small, increase usage as needed and only get billed for metered usage. In addition, the existence of free tools for asset discovery can help businesses to get an accurate picture of their IT assets, one of the fundamental building blocks for better IT security management.

Making the move to cloud security

The growth of Cloud computing has had a big impact on the IT industry as a whole. Alongside the changes in budgeting and economics of running IT for enterprises, the shift to cloud-based IT is affecting security as well. In the past, all company data would have been based on internal IT assets and storage. This centralised approach meant that firms could concentrate on securing the perimeter, adding defence in depth through layering more technologies over the top of the corporate firewall.

However, this accretion of technologies has not kept up with either the shifts in how companies run their IT or the aggressive development of the malware sector either. Today, any employee can access company information from mobile devices while they are out of the office; while often companies supply these devices and keep them secure, many employees are using their own phones, laptops or tablets as well.

Line of Business teams can buy in their own applications without involving IT in the selection process or asking about security; the data they create after these decisions never gets saved on company IT assets. Many applications have shifted to third party providers or to the Cloud. The perimeter that was so secure in the past has now become irrelevant.

At the same time, IT teams have to meet shorter vulnerability windows between issues being found and exploits published. What took more than 60 days a decade ago in 2006 was reduced to eight days in 2014. In 2016, the vulnerability window is now less than 48 hours.

All this change means that IT has less visibility into the current status of IT assets, as well as all the services that are being used across the business. To combat this, IT security needs to become global and work in realtime; moving security and vulnerability scanning services to the Cloud can help.

Making use of Cloud services in this way helps IT deliver better service back to the business, while also providing better quality data on the company’s security position. With Cloud services, even if company IT assets are mobile, they can be checked regularly to ensure that they are up to date and secure. Making use of Cloud helps IT to gain back visibility and deliver information and security on a continuous basis.

For smaller firms Cloud security is even more attractive as it offers capabilities and levels of protection that could not be achieved by their internal teams. Operators of Cloud services work at scale in secure data centres and have to focus on securing their implementations; in fact this emphasis on security within multi-tenant environments is critical to their ongoing success as a business. As a result, Cloud vendors have to build security into their infrastructure from the start.

For small and mid-sized businesses, the decision around Cloud security should be a simple one to make. The key approach is to start with an inventory of existing on-premises and external IT assets. Once an overview of all assets has been created, it’s then possible to continuously monitor external applications and internal IT assets for flaws and misconfigurations. The ongoing emphasis on continuous monitoring with short windows to fix deployments ensures that all endpoints, even roaming laptops, are secured against attack.

For larger companies, the move to the Cloud can be more complex. However, the journey should begin by introducing asset management tools that cover the whole business across internal or fixed IT assets as well as those that are primarily used outside the business and never touch the corporate network.

This asset data is the basis for ongoing security, so it should be continuously updated. Using Cloud for scanning avoids some of the IT overhead that traditional vulnerability management products have, as they can scale up and down based on the volume of scans that are required.

While critical applications and mobile devices might get scanned every day to check for problems, internal IT assets may only need to be scanned every week. Overall, this asset list will provide IT with a better picture of security for the whole business.

Wolfgang Kandek, Chief Technical Officer, Qualys

Image source: Shutterstock/Maksim Kabakou