| |DECEMBER - 20229CIOReviewand patched operating systems. This approach will eliminate the standing risk, but the key issue with vulnerabilities is the ongoing system and vulnerability lifecycle management to maintain reduced risk. If you didn't have a strong patch management process prior to moving your systems to IaaS, you will just end up moving your security problems to a different space on the chess board. As companies mature in their IaaS approach, Blue/Green servers will help address patching process risks. When servers are in a Blue/Green mode, a baseline server is patched and has vulnerabilities remediated so that it can be a Golden Image for all servers to use. These servers are rebuilt frequently using Infrastructure-as-Code to create a new pool of vulnerability-free server infrastructure that is swapped in to replace the existing servers in that workload. There are no downtime requirements and customer impacts to patch and reboot systems!Application Modernization Reduces Traditional VulnerabilitiesWhen workloads mature through application modernization, the traditional legacy vulnerability landscape disappears in the PaaS model. No longer do you need to patch Windows or Linux servers operating systems or middleware components. Great! However, that doesn't eliminate vulnerabilities and the threat perspective from attackers. Using a more Agile or DevOps vocabulary, vulnerability management is shifted-left. What is more important now is the configuration and management of services and the interfaces into those services. In the serverless environment, APIs are the new digital currency and protecting them from vulnerabilities due to poor configuration or operations is critical. To reduce the risk of vulnerabilities in serverless environments, using new tools in security and configuration compliance under the Cloud Management Platform and API Management solutions spaces.Another way exploitable vulnerabilities are shifted-left is related to the supply chain for 3rd party code and libraries. Using tools to verify code provenance and code security is important to reduce the possibilities of code vulnerabilities or injected malware from affecting your organization.Eliminate Servers and Provide Data ProtectionWhen a company decides to use a cloud SaaS provider, protecting the infrastructure behind the scenes and managing the application is the cloud SaaS provider's responsibility. Traditional vulnerabilities detected by vulnerability scanners do not apply in this case. In this environment, identities and access management is the key and is still the customer's responsibility. The traditional Cloud Access Security Broker solution space can provide additional identity, authorization, access control, and data transfer protection mechanisms.Vulnerabilities in the Cloud Provider InfrastructureSignificant vulnerabilities in the cloud infrastructure of cloud providers happens very infrequently. Also, the big cloud infrastructure providers are mature and quick in patching their infrastructure. As you are probably aware, cloud infrastructure platforms involve a number of software and hardware components behind the scenes, some custom and some common-off-the-shelf. Adversaries who are able to determine the software or hardware used in a cloud architecture could take advantage of known vulnerabilities and elevate privileges or access data across tenants in the cloud. Security researchers have demonstrated possibilities in this area, but exploitability is difficult. Unless you have highly sensitive workloads or government/military focused purpose, ensuring potential vulnerabilities in these areas is not high risk and priority today.Just Do ItMost approaches to moving to the cloud will consequentially reduce overall vulnerabilities in your environment. As shown in Figure 2, the further down the stack, the fewer possible vulnerabilities that may impact your organization. If you have been struggling in the grind to identify and patch all vulnerabilities in your systems, moving to the cloud can help minimize the number, the exploitability, and the potential consequences of vulnerabilities. Make the move! THE QUICKEST APPROACH IS TO MOVE YOUR EXISTING DATA CENTER SYSTEMS FROM A PHYSICAL/VIRTUAL ENVIRONMENT TO THE PUBLIC CLOUD INFRASTRUCTURE PROVIDER
< Page 8 | Page 10 >