Cloud service providers increasingly rely on vulnerability scanning to meet federal, industry and other types of regulations, as well as identify risks requiring remediation. However, scans simply report data, and in the absence of a complete and organized vulnerability management program, that data can raise more questions than answers. Worse, inaccurate data can skew the perspective providers need to make informed security decisions.
A complete vulnerability management program offers providers a clear and accurate assessment of their vulnerabilities because it relies on the detailed, well-planned processes necessary to properly set up the scans and to analyze the results for remediation. It allows the necessary action to take place to remediate risks in a timely manner because the program is designed to allow for frequent, streamlined communications to the appropriate stakeholders using the tools best aligned with the provider's environment.
The foundations of a strong vulnerability management program are found in three key areas: configuration, coordination and communication.
Configuring a data collection dashboard
Organizing a strong vulnerability-management program begins with configuring a dashboard-style design for data collection and reporting. In this design, the cloud provider's executive leadership, vulnerability-management program stakeholders and technicians rely on one access point for the charted scanning data, which allows the provider to track trends and access a current view of the enterprise vulnerability status at any time. The dashboard includes data from monthly baseline enterprise scans as well as from mid-cycle alerts to populate its up-to-the-minute view of the provider's risk level.
The dashboard design relies on a blend of tools and resources to manage the collection of data and the remediation its data indicates is necessary. Tools selected for the explicit needs of a specific provider's environment can minimize the amount of manual effort required to track and remediate vulnerabilities. Cloud providers should consider the following features when they selecting a patch management suite:
- Supported software: The suite should support the majority of applications in the provider's environment with minimal overhead.
- Supported platforms: The suite should map to the provider's current cloud platform.
- Reporting capabilities: The status reporting and patch-deployment tracking mechanism must be sufficient for the provider's compliance needs.
- Balance of manual and automated processes: The suite should automate the most labor-intensive and common processes for providers, and limit the need for manual remediation and tracking. This reduces costs and the potential for human error.
Coordinating resources and responsibilities
More vulnerability management program resources
The surprising benefits of vulnerability management programs
Taking a layered approach to mitigating cloud vulnerabilities
How enterprises choose a provider for vulnerability management
Five ways to improve your vulnerability management program
After having selected the appropriate tools and configuring the dashboard, a provider must assign employees with the correct skill set to the program in order to remediate the findings in a timely manner. Necessary roles include a program coordinator to monitor the automated and manual processes, as well as to maintain the dashboard and provide inventory, reporting and auditing oversight. Technical responders administer the remediation actions and device updates, contribute to maintaining accurate records for compliance, and monitor the automated processes of the patch suite.
The most important component of coordination is clearly outlining which roles are assigned to which responsibilities -- such as scanning, automated task monitoring, vendor relations and assigning risks -- to ensure the consistency necessary to create useful data.
Preparing for effective communication
The vulnerability-management program dashboard is the structure for communication, but there are steps stakeholders must take to specifically address the communication of remediation, monthly and mid-cycle reports, and policies in the program.
The dashboard is a centralized location for multiple stakeholders to access, and its use must become a deliberate routine and be actively updated and monitored. The culture of the vulnerability management program must be one that treats the dashboard as the most critical link for every cloud-provider stakeholder involved. Policy can begin to facilitate that communication and commitment to the dashboard. Through a vulnerability coordinator, cloud providers can prepare in advance for effective communication by creating a structure to house current policies and subsequent policy updates, as well as a method for sharing policies' status and ensuring stakeholders' comprehension of the policies and how they are stored.
Approaching vulnerability management as a comprehensive program instead of a series of disconnected scans allows providers to maintain accurate and current perspectives on overall enterprise security. They are then able to better execute security decisions with lasting and effective results. Balancing the configuration, coordination and communication needs of the provider's vulnerability management program is a thoughtful and measured process necessary for success.
About the authors:
David Svec is the co-principal and co-founder of Veris Group LLC. Kyle Snavely is the firm's vulnerability expert and associate. Veris Group LLC is a cybersecurity consultancy and an accredited FedRAMP third-party assessment organization (3PAO) based in Vienna, Va.