Cloud Security Will NOT Supplant Patching…Qualys Has Its Head Up Its SaaS
“Cloud Security Will Supplant Patching…”
What a sexy-sounding claim in this Network World piece which is titled with the opposite suggestion from the title of my blog post. We will still need patching. I agree, however, that how it’s delivered needs to change.
Before we get to the issues I have, I do want to point out that the article — despite it’s title — is focused on the newest release of Qualys’ Laws of Vulnerability 2.0 report (pdf,) which is the latest version of the Half Lives of Vulnerability study that my friend Gerhardt Eschelbeck started some years ago.
In the report, the new author, Qualys’ current CTO Wolfgang Kandek, delivers a really disappointing statistic:
In five years, the average time taken by companies to patch vulnerabilities had decreased by only one day, from 60 days to 59 days, at a time when the number of flaws and the speed at which they are being exploited has accelerated from weeks to, in some cases, days. During the same period, the number of IP scanned on an anonymous basis by the company from its customer base had increased from 3 million to a statistically significant 80 million, with the number of vulnerabilities uncovered rocketing from 3 million to 680 million. Of the latter, 72 million were rated by Qualys as being of ‘critical’ severity.
That lack of progress is sobering, right? So far I’m intrigued, but then that article goes off the reservation by quoting Wolfgang as saying:
Taken together, the statistics suggested that a new solution would be needed in order to make further improvement with the only likely candidate on the horizon being cloud computing. “We believe that cloud security providers can be held to a higher standard in terms of security,” said Kandek. “Cloud vendors can come in and do a much better job.” Unlike corporate admins for whom patching was a sometimes complex burden, in a cloud environment, patching applications would be more technically predictable – the small risk of ‘breaking’ an application after patching it would be nearly removed, he said.
Qualys has its head up its SaaS. I mean that in the most polite of ways… 😉
Let me make a couple of important observations on the heels of those I’ve already made and an excellent one Lori MacVittie made today in here post titled “The Real Meaning Of Cloud Security Revealed:”
- I’d like a better definition of the context of “patching applications.” I don’t know whether Kandek mean applications in an enterprise or those hosted by a Cloud Provider or both?
- There’s a difference between providing security services via the Cloud versus securing Cloud and its application/data. The quotes above mix the issues. A “Cloud Security” provider like Qualys can absolutely provide excellent solutions to many of the problems we have today associated with point product deployments of security functions across the enterprise. Anti-spam and vulnerability management are excellent examples. What that does not mean is that the applications that run in an enterprise can be delivered and deployed more “securely” thanks to the efforts of the same providers.
- To that point, the Cloud is not all SaaS-based. Not every application is going to be or can be moved to a SaaS. Patching legacy applications (or hosting them for that matter) can be extremely difficult. Virtualization certainly comes into play here, but by definition, that’s an IaaS/PaaS opportunity, not a SaaS one.
- While SaaS providers who do “own the entire stack” are in a better position through consolidated multi-tenancy to transfer the responsibility of patching “their” infrastructure and application(s) on your behalf, it doesn’t really mean they do it any better on an application-by-application basis. If a SaaS provider only has 1-2 apps to manage (with lots of customers) versus an enterprise with hundreds (and lost of customers,) the “quality” measurements as it relates to management of defect (from any perspective) would likely look better were you the competent SaaS vendor mentioned in this article. You can see my point here.
- If you add in PaaS and IaaS as opposed to simply SaaS (as managed by a third party.) then the statement that “…patching applications would be more technically predictable – the small risk of ‘breaking’ an application after patching it would be nearly removed” is false.
It’s really, really important to compare apples to apples here. Qualys is a fantastic company with a visionary leader in Phillipe Courtot. I was an early adopter of his SaaS service. I was on his Customer Advisory Board. However, as I pointed out to him at the Jericho event where I was a panelist, delivering a security function via the Cloud is not the same thing as securing it and SaaS is merely one piece of the puzzle.
I wrote a couple of other blogs about this topic:
- Patching the Cloud
- What People Really Mean When They Say The Cloud Is More Secure
- Cloud Providers Are Better At Securing Your Data Than You Are…
- Reprise: On-Demand SaaS Vendors Able to Secure Assets Better than Customers?
/Hoff
The only real "offense" Wolfgang committed with this quote is use the term cloud too broadly, which I have trouble faulting him for. I think most people realize that SaaS is only one of cloud delivery models and that patching your software stack deployed with Amazon AWS or Azure is just as dangerous as it is on the enterprise network (you could argue that testing and rollback is significant easier in PaaS and IaaS environments, but that's not the point). I sincerely doubt Wolfgang is advocating for simply rolling the same old broken software into the cloud and congratulating each other with a job well done, however.
Fact remains that the SaaS model does afford you the ability to control the entire software stack and provide much higher level of security and reliability than possible with traditional software.
So semantics aside, I agree with Wolfgang 100%. Sounds like you do, too.
Chris,
Commenting here still from Europe, trying to stay awake with the help of a Hoffachino…
I actually believe we are in agreement, but here are some clarifications:
1. “patching applications” – SaaS based providers can do a better job in patching the applications that they are responsible for as they have the money/volume of users to maintain the dedicated resources necessary to do so. Not doing so will ultimately result in the failure of the business. Example: Salesforce/Netsuite should be more up-to-date in their patching and security than your average in-house CRM/ERP implementation. Even on the desktop side these are things that I would want from successful VDI provider: aggressive testing of patches, speedy roll-outs of patching of standard applications, general monitoring of the state of systems as far as configuration and updateness goes, additional mitigation technologies, etc
2. Correct – that should read “Cloud Providers can be held to a higher standard in terms of security” to limit it to applications that SaaS controls. While I believe that we (Qualys) provide a valuable service, we do not provide automatic security to everything we touch.
3. True.
4. Absolutely
5. Agree 90 % – I do not understand the PaaS offerings too well, but in the IaaS arena we can apply the same reasoning as well – I would want them to show me how they are securing the Infrastructure – physically and logically – how is the datacenter secured, how quickly do you patch infrastructure software (the recent VMWare vulnerability comes to mind – VMSA-2009-0006), are you using firewalls, IDS/IPS, are you monitoring these servers for outgoing botnet connections, etc – and what is the policy to getting these alerts to me. I can see the potential to get more clarity from the IaaS provider than internally and anecdotally have heard of some cases…
–
Wolfgang
@Misha
Just so I understand your point better, when *you* said:
>> Fact remains that the SaaS model does afford you the ability to
>> control the entire software stack and provide much higher level of
>> security and reliability than possible with traditional software.
…which "you" are *you* referring to? The consumer/customer or the provider?
Also, please supply me with some factual evidence (metrics, proof points) beyond conjecture and "should" to support your assertion. If I compare a SINGLE web-based application built and delivered in the enterprise to that delivered by a SaaS vendor, how are they going to be "more secure?"
I find it interesting that even in these early days, the most visible "Cloud" breaches have all come from SaaS providers (Salesforce.com, Monster.com and GoogleDocs)
I see Wolfgang just commented, so I'm going to take a look-see…
/Hoff
It's a collective "you", but I mean service providers. Providers that control the entire stack can and should be held to a higher standard.
I am not saying that going with a SaaS provider automatically grants you a magical security shield. But I do believe that SaaS environments are easier to protect than a hodge podge of traditional software running in an enterprise.
This space is not nearly mature enough to provide metrics yet, but while the promise of security is not universally true across all providers, my premise that the SaaS model providers a unique *opportunity* for better security is far from conjecture.
Our infrastructure team has tested and rolled out security patches across more than 1,200 systems within hours of their release, which is something I would not even attempt in an enterprise setting. There are very few situations that require a release cycle this fast and it has inherent risks of it's own. The broader point is that when I needed to push a patch I considered beyond critical, I could and I did.