Patching systems and applications in the cloud should be just like patching those in normal production environments, right? Not so fast. While the concept of patching and its importance and relevance in a holistic security and risk management program remain intact, the nuances of cloud-based patch management can vary widely from traditional in-house programs.
Ultimately, what organizations should be looking for in a cloud security provider is some alignment with their internal patch management practices and standards.
In this article, we'll take a look at some of the challenges involved with patch management in cloud environments, as well as ideas on how to more effectively keep systems and applications up to date.
Cloud-based patch management considerations
The first consideration related to patching in the cloud is one of the age-old considerations for all things cloud:Who is responsible? And much like anything else in the cloud, the answer to this question depends on the delivery model.
With Software as a Service (SaaS) models, consumers have no control over patching processes whatsoever. This can have fairly significant ramifications for consumers, especially if the cloud provider doesn't have a sound patching and configuration management process in place. In 2010, for example, blogging platform WordPress experienced a serious outage due to a bad patch that was applied. For any consumers using a SaaS or Platform as a Service (PaaS) provider, the Cloud Security Alliance (CSA) recommends the following requirements that every cloud provider should maintain in its Cloud Controls Matrix (version 1.3):
Policies and procedures shall be established and mechanism implemented for vulnerability and patch management, ensuring that application, system, and network device vulnerabilities are evaluated and vendor-supplied security patches applied in a timely manner taking a risk-based approach for prioritizing critical patches.
For PaaS environments, organizations will likely have slightly more control over patching and configuration, particularly of application and development environment components and libraries, binaries, etc. Look to integrate any of the platforms (ASP .NET, PHP, Java, etc.) being used and the applications running on them into existing test and QA cycles, with fixes applied at the same time (or in the same cycle) as internal applications.
The bigger challenge in PaaS environments is management. Infrastructure teams now need to coordinate even more tightly with development and testing teams when applying patches, plus change windows need to be planned to accommodate those approved by the cloud provider, if applicable. All back-end infrastructure, including operating systems and network components, are still patched by the provider, and the same questions and concerns mentioned for SaaS environments should also apply with this model.
For Infrastructure as a Service (IaaS) providers, teams can install traditional patch management agents from providers such as IBM and Microsoft. These agents can report to patch management systems located in a central data center or even in the same cloud infrastructure, depending on the deployment scenario. There are also new cloud-based patch management options emerging for cloud servers, such as the offering from vendor ScaleXtreme that includes patch management for both internal and public cloud systems hosted in Amazon EC2 and other major cloud providers, easing the challenges involved with assessing and patching both systems in the same change window. Additional cloud-based patch management options include Fiberlink Communications' MaaS360 and VMware's Go.
Patching prep: What to look for in a CSP
Beyond the implications of the provider model on your cloud-based patch management outlook, the CSA Consensus Assessments Initiative recommends asking any potential cloud service providers (CSPs) the following questions related to patch and vulnerability management:
- Do you conduct network-layer vulnerability scans regularly as prescribed by industry best practices?
- Do you conduct application-layer vulnerability scans regularly as prescribed by industry best practices?
- Do you conduct local operating system-layer vulnerability scans regularly as prescribed by industry best practices?
- Will you make the results of vulnerability scans available to tenants at their request?
- Do you have a capability to rapidly patch vulnerabilities across all of your computing devices, applications, and systems?
- Will you provide your risk-based systems patching timeframes to your tenants upon request?
From the editors: More on cloud configuration and security
Learn how to handle virtualization security threats.
Find out how to maintain security after a successful cloud implementation.
Ultimately, what organizations should be looking for in a CSP is some alignment with their internal patch management practices and standards. For standard operating systems such as Windows and Linux, the key factors to consider include exposure level (where are the systems located?), criticality (how important are the systems?) and patch severity (how vulnerable is the system if left unpatched?). Important systems that are relatively exposed should have any critical patches applied ASAP, preferably within a few days. While platform providers may not reveal all aspects of their patch management and change control policies and procedures, they should be able to provide enough detail and reassurance to determine whether they're doing a good job.
Preparing for a new patching experience
Patching in the cloud brings new challenges, primarily in the areas of coordination and configuration control for IaaS and PaaS environments. Auditing and assessing cloud providers in PaaS and SaaS environments also proves to be problematic, although all providers should be formally evaluated for internal patching and vulnerability management controls and should be able to provide an independently-verified attestation of controls, such an SSAE 16 report, at a minimum. New and emerging products may facilitate patching across internal and external systems more readily, but most organizations are still likely to use the same tools they already own for IaaS deployments, although a localized patch repository and/or management platform in the same cloud environment may make sense for some.
About the author:
Dave Shackleford is senior vice president of research and chief technology officer (CTO) at IANS; and a SANS analyst, instructor and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering. He is a VMware vExpert and has extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as chief security officer for Configuresoft; CTO for the Center for Internet Security; and as a security architect, analyst and manager for several Fortune 500 companies. Dave is the author of the Sybex book Virtualization Security: Protecting Virtualized Environments, and he recently co-authored the first published course on virtualization security for the SANS Institute. He currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.