Cloud Security Will NOT Supplant Patching…Qualys Has Its Head Up Its SaaS
“Cloud Security Will Supplant Patching…”
What a sexy-sounding claim in this Network World piece which is titled with the opposite suggestion from the title of my blog post. We will still need patching. I agree, however, that how it’s delivered needs to change.
Before we get to the issues I have, I do want to point out that the article — despite it’s title — is focused on the newest release of Qualys’ Laws of Vulnerability 2.0 report (pdf,) which is the latest version of the Half Lives of Vulnerability study that my friend Gerhardt Eschelbeck started some years ago.
In the report, the new author, Qualys’ current CTO Wolfgang Kandek, delivers a really disappointing statistic:
In five years, the average time taken by companies to patch vulnerabilities had decreased by only one day, from 60 days to 59 days, at a time when the number of flaws and the speed at which they are being exploited has accelerated from weeks to, in some cases, days. During the same period, the number of IP scanned on an anonymous basis by the company from its customer base had increased from 3 million to a statistically significant 80 million, with the number of vulnerabilities uncovered rocketing from 3 million to 680 million. Of the latter, 72 million were rated by Qualys as being of ‘critical’ severity.
That lack of progress is sobering, right? So far I’m intrigued, but then that article goes off the reservation by quoting Wolfgang as saying:
Taken together, the statistics suggested that a new solution would be needed in order to make further improvement with the only likely candidate on the horizon being cloud computing. “We believe that cloud security providers can be held to a higher standard in terms of security,” said Kandek. “Cloud vendors can come in and do a much better job.” Unlike corporate admins for whom patching was a sometimes complex burden, in a cloud environment, patching applications would be more technically predictable – the small risk of ‘breaking’ an application after patching it would be nearly removed, he said.
Qualys has its head up its SaaS. I mean that in the most polite of ways…
Let me make a couple of important observations on the heels of those I’ve already made and an excellent one Lori MacVittie made today in here post titled “The Real Meaning Of Cloud Security Revealed:”
- I’d like a better definition of the context of “patching applications.” I don’t know whether Kandek mean applications in an enterprise or those hosted by a Cloud Provider or both?
- There’s a difference between providing security services via the Cloud versus securing Cloud and its application/data. The quotes above mix the issues. A “Cloud Security” provider like Qualys can absolutely provide excellent solutions to many of the problems we have today associated with point product deployments of security functions across the enterprise. Anti-spam and vulnerability management are excellent examples. What that does not mean is that the applications that run in an enterprise can be delivered and deployed more “securely” thanks to the efforts of the same providers.
- To that point, the Cloud is not all SaaS-based. Not every application is going to be or can be moved to a SaaS. Patching legacy applications (or hosting them for that matter) can be extremely difficult. Virtualization certainly comes into play here, but by definition, that’s an IaaS/PaaS opportunity, not a SaaS one.
- While SaaS providers who do “own the entire stack” are in a better position through consolidated multi-tenancy to transfer the responsibility of patching “their” infrastructure and application(s) on your behalf, it doesn’t really mean they do it any better on an application-by-application basis. If a SaaS provider only has 1-2 apps to manage (with lots of customers) versus an enterprise with hundreds (and lost of customers,) the “quality” measurements as it relates to management of defect (from any perspective) would likely look better were you the competent SaaS vendor mentioned in this article. You can see my point here.
- If you add in PaaS and IaaS as opposed to simply SaaS (as managed by a third party.) then the statement that “…patching applications would be more technically predictable – the small risk of ‘breaking’ an application after patching it would be nearly removed” is false.
It’s really, really important to compare apples to apples here. Qualys is a fantastic company with a visionary leader in Phillipe Courtot. I was an early adopter of his SaaS service. I was on his Customer Advisory Board. However, as I pointed out to him at the Jericho event where I was a panelist, delivering a security function via the Cloud is not the same thing as securing it and SaaS is merely one piece of the puzzle.
I wrote a couple of other blogs about this topic:
- Patching the Cloud
- What People Really Mean When They Say The Cloud Is More Secure
- Cloud Providers Are Better At Securing Your Data Than You Are…
- Reprise: On-Demand SaaS Vendors Able to Secure Assets Better than Customers?