“Don't buy software you can't manage” is a decades-old adage among IT professionals. This guideline still applies today, especially when it comes to being cautious about cloud vulnerability management software.
Although there are multiple variations in the meaning of cloud vulnerability management, the generally accepted definition is that it is the practice of continuously identifying, managing, and remediating vulnerabilities in IT environments. It's a process that eventually becomes a seamless part of an organization's overall cloud security program.
While many large companies have begun the process of designing and implementing a cloud vulnerability plan, many others have not. Such efforts falter for a variety of reasons, including the inertia typically found at Fortune 500 companies. This inertia often stems from questions about who in the company makes technology decisions that affect departments across the larger organization—and each potentially has His own needs. There is also uncertainty about the budget that will be used to pay for products used in multiple parts of the business.
Another factor in slow adoption is a lack of knowledge about the strategic role and importance that cloud vulnerability management plays in the overall cloud security management scheme.
“Big companies need a well-defined vulnerability management strategy, but a lot of them do these things without putting in any effort. It's an afterthought,” said Jack Gould, president of J.Gold Associates, a consulting firm in Northboro. , Massachusetts, which focuses on security and cloud environments. “But you can't pick on IT workers too much. Many of them don't get the resources they need to make this a priority,” he said.
Money is often what gets in the way of deciding to move forward with cloud vulnerability management.
“Many C-suite executives get into disputes with each other over who's going to pay for it and what the ROI on that investment is, but since most ROI investments are about productivity,” says Frank Dzubek, president of Communications Network Architects in Washington, D.C. User, how do you measure productivity with products that prevent events that could negatively impact productivity?”
Common vulnerabilities in cloud environments
Cloud vulnerabilities that IT managers and other IT professionals are expected to encounter include:
Misconfigurations. These are errors in the security settings of cloud applications and systems, including virtual machines, containers, and serverless environments. Lack of vision. Companies typically mix and match cloud technologies from different vendors, creating an interconnected, evolving IT environment. In such a diverse technology landscape, it can be difficult to identify and mitigate cloud vulnerabilities. Poor access management. Digital identities far outnumber human identities in cloud environments, making them attractive targets for hackers. Identity-related vulnerabilities serve as primary attack vectors for cybercriminals seeking entry into the IT environment. Internal threats. Insider threats are vulnerabilities associated with individuals with current access to and knowledge of the IT environment, including current and former employees and business partners. Insecure APIs. Hackers can exploit API vulnerabilities, such as inadequate access controls, weak authentication protocols, and inadvertent data exposure. No cloud encryption. Lack of cloud encryption is a prominent security vulnerability in cloud storage, allowing unauthorized individuals to access important data if they can infiltrate the cloud environment. When data is fully encrypted, it is converted into a format that cannot be read without an encryption key.
Since every organization using cloud services faces these vulnerabilities, it is important that they work collaboratively with their vendors to take steps to mitigate cloud risks.
Cloud vulnerability management challenges
It is often left to CISOs to make procurement and implementation decisions related to cloud vulnerability management, but this is not always the case. Sometimes it's department executives far removed from senior management who have the power, and there's little chance they can all agree on a global standard for cloud vulnerability management tools.
For this reason, cloud vulnerability management becomes a complex issue.
“The need to secure hybrid, multi-cloud environments for multiple organizations is overwhelming for IT leaders,” said Stephen Dickens, vice president and practice leader at Futurum Group. “When you couple this with a fragmented security vendor market, the challenges multiply,” Dickens said. “What is needed is the emergence of security platforms that address multiple threat niches from a small group of trusted vendors.”
Until these platforms emerge, Dickens advises organizations to remain vigilant, partner with trusted vendors, and look to regulatory frameworks as mechanisms to ensure best practices. Regulations such as Europe's Digital Operational Resilience Act for financial services and the PCI DSS for credit card data are examples of standards that have helped clarify complex business practices.
Best practices for cloud vulnerability management
To stand a chance against determined adversaries, PurpleSec, a cybersecurity firm based in Washington, D.C., offers three guidelines for organizations trying to manage cloud vulnerabilities:
Conduct asset and inventory discovery. The most important step in vulnerability management is to conduct a comprehensive inventory of all authorized and unauthorized devices on the network, including software installed on organization-owned assets and those owned by external vendors. Once the IT team knows which assets pose the greatest risk, they can adjust the vulnerability scanning process. Classify assets and assign tasks. After inventorying the assets, IT must classify and classify those assets based on the true risks to which the company is exposed. Risk classification helps determine the frequency of vulnerability scanning and the priority of remediation tasks. It is also important to assign ownership of assets so that it is understood who is responsible for the risks associated with the assets; This also makes it clear that the designated owners become liable if that asset is compromised. Run automatic, frequent vulnerability scanning. The IT department should perform an automated vulnerability scan against all systems on the network at least every month or quarter. However, new vulnerabilities can be found daily, and hackers sometimes weaponize them within hours. So, if you scan monthly, your organization could theoretically be exposed to risk up to 29 days a month.
The future of cloud vulnerability management
AI and machine learning technologies have appeared in a variety of security offerings over the past year or two, including cloud vulnerability management products. Most often, AI deployments in vulnerability programs help speed up and make more efficient the processes associated with remediation and scanning for vulnerabilities.
For example, Cisco's vulnerability management system is built around advanced algorithms as well as internal and external threat intelligence. The system can detect vulnerability changes and predict whether malware will be used as a weapon.
Cisco also doubled down on its commitment to integrating advanced technologies by announcing Hypershield in April 2024. Built from the ground up using artificial intelligence, this product aims to protect applications and devices across public and private data centers. It's autonomous and predictive, and Cisco said the product will eventually be adapted to manage itself.
Cisco is working with Nvidia to build AI-based security offerings. The partnership includes the use of Nvidia's Morpheus AI-based cybersecurity framework, which features network anomaly detection.
Also, Tenable said it is bringing new AI capabilities to its One Exposure Management platform. The features allow users to ask its AI assistant relevant questions to get more specific guidance on security risks and threat intelligence.
Ed Scannell is a freelance writer based in Needham, Massachusetts. He writes about a wide range of technologies and issues facing corporate IT professionals. He can be reached at ed.scannell@gmail.com.