Vulnerability Management in an Elastic World


Posted on by Richard Bussiere

Elastic computing defined 

The concepts of cloud computing as a utility, DevOps and containerization have combined to enable the deployment of applications and web-based services in a very dynamic way. Often called elastic computing, services can grow or shrink when required. This enables a deployment model that can maintain customer satisfaction in a cost-effective way, which is critical in today’s extremely competitive business environment. I will explain the characteristics of these trends and the implications these trends impose on the vulnerability management process. 

Some characteristics of today’s elastic cloud computing environments include: 

  • The ability to grow or shrink the required compute, network and storage resources as customer demand increases and decreases
  • A high degree of automation enabling resources to be provisioned and released with or without human intervention, with little to no understanding of the underlying hardware infrastructure
  • Pooled or shared resources which serve different customers in a true multi-tenanted model, with resources assigned and reassigned to different customers as required
  • Metering of the services so that customers only pay for the computing, storage and network resources that they use and nothing more 

Clearly a dynamic environment with these characteristics encourages applications to come, go and change. 

DevOps evolving with CD / CI & containerization

In addition to elastic cloud-based computing, development methodologies are changing too. Fueled by demand for increased productivity, accelerated innovation and faster go-to-market release cycles for digital products and services, a rethink of how application development and deployment has taken place. Software Development and Operations are being integrated into a single unified function: DevOps. DevOps brings with it the concepts of Continuous Development (CD) and Continuous Integration (CI) which provide higher levels of automation and streamlining legacy approaches. This means that small incremental changes to applications are being pushed to production more rapidly than ever before. This contrasts heavily with traditional waterfall development methodologies. 

Closely associated with DevOps methodologies is the concept of containerization—exemplified by the popular Docker platform which is focused on ease of use and speed of deployment. Containers implement a lightweight virtualization model where a single instance of an operating system is leveraged concurrently by several applications. This can be contrasted against the traditional virtualization model where one application sits on top of a single instance of an operating system. The benefits of the container model are clear: more efficient resource utilization and simplified software distribution. At the same time, the container model lends itself very well to elastic computing models since a container can be created in seconds and likewise destroyed in seconds. 

How to manage vulnerabilities in an elastic computing environment 

There are three major related trends that are converging at the same time - utility cloud computing, DevOps and containerization.  To perform vulnerability assessment properly within an environment embracing these trends, the way that the assessment process is performed must adapt. 

Visibility into vulnerabilities and compliance must be real-time and continuous to compensate for the dynamics of an elastic infrastructure. The objectives of implementing instrumentation to achieve dynamic visibility include: 

  • Inventory - What applications are running, and how many instances of each application exist?
  • Vulnerabilities - For the virtualized instances in the cloud, what vulnerabilities exist on the operating systems and in the applications?
  • Threat Detection - Are there any instances of malicious code executing within any of the applications?
  • Configuration - Are the virtualized cloud hosts configured properly from a security perspective? 

To match the elastic computing environment, the instrumentation itself must be applied in a way that enables awareness of assets as they are created or deleted, and tracking of the vulnerability state across all cloud-based assets as they are created or destroyed. This can be achieved by monitoring the APIs specific to the cloud environment in question. 

Assessing the vulnerability state of assets can be performed through traditional vulnerability scanners, through agent -based solutions, or externally through web application scanners for web-based applications. 

There is one exception to this: containers. The vulnerability state of a running container cannot be assessed through traditional active methods. Rather, the vulnerability state of containers must be assessed before it is deployed. One method to perform this assessment is by scanning the container image, where the container’s contents are examined for vulnerability state while the container rests within its repository. Policies can then be implemented which would inhibit the deployment of container images that are not compliant with minimum security standards. This assessment should be performed on a continuous basis so that if the vulnerability position of any of the containers components changes, it will be detected. 

Additionally, there is an opportunity to make container image testing for vulnerabilities a prerequisite to the release of the container into production.  The testing process should be tightly woven into the DevOps process, and anything released into production must meet minimum security requirements. 

The trends of elastic cloud-based computing, DevOps and containerization will continue to accelerate as the pace of agile change and competitive dynamics prove too irresistible for businesses to ignore. At the same time, the problem of ensuring that these elastic virtualized infrastructures are secure remains a critical issue. Vulnerability management, configuration auditing and threat detection are a key part of ensuring that these virtual infrastructures are secure and resilient — and these processes must adapt now!  Security teams must also remain as agile as their Development colleagues by adapting processes to suit the new elastic environment.


Contributors
Richard Bussiere

Technical Director, APAC, Tenable

cloud security DevSecOps

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs