Moving to the Cloud Won’t Solve Your Security Woes
Not all press is good press. Case in point: security breaches. One local government CTO we work with proclaimed, “Part of my job is to make sure we stay out of the news.”
It’s critical that technology leaders ensure the utmost security of their systems to avoid ending up the subject of the wrong kind of headline, like Norton LifeLock, Mailchimp, Equifax and countless other companies have.
Many organizations believe that simply migrating to the cloud will solve their security problems. Although adopting a cloud model for app development and delivery has many benefits, it’s essential to address security vulnerabilities before executing a cloud migration strategy. In our work with customers from all around the world, we at VMware Tanzu Labs have found hundreds, if not thousands, of common vulnerabilities and exposures (CVEs) that should be addressed before any modernization work is done.
No one wants to admit that they were breached as a result of unremediated CVEs, but in our practice, we see it happen all the time. Even within large, prestigious organizations. In fact, according to Contrast Security co-founder and CTO Jeff Williams, “The average web application or API has 26.7 serious vulnerabilities…and organizations often have hundreds, thousands or even tens of thousands of applications.” That’s a scary high number!
While most people know that they need to address CVEs as part of their app modernization initiatives, it’s often put off. Let’s face it: It’s a lot more fun to talk about doing cool “new” things than fixing old ones, not to mention that leadership teams expect constant innovation. For large enterprises, who likely have thousands of unattended CVEs, it can be a daunting task to remediate them. As a result, many companies attempt to adopt a cloud model despite having numerous CVEs in their data centers. This can not only lead to malicious attacks, but it can set your migration progress back and waste a lot of time.
Here’s why you should remediate CVEs before migrating to cloud:
- Security risk: By migrating to the cloud, there is an increased potential for breaches, as potentially more people will have access to your cloud environment compared to your data center. Mitigating vulnerabilities before you migrate will help to eliminate some of that security risk.
- Compliance: In highly regulated industries, it’s critical to maintain certain security requirements. Organizations that don’t comply are met with consequences such as fines and/or reputational damage. Even if you’re not in a highly regulated industry, it’s likely that your organization has its own levels of security expectations.
- Migration complexity: If you put “mess” in, it’s likely you’ll get “mess” out. If you migrate a bunch of CVEs to the cloud, you’re still going to have to deal with them once they’re there. Having a lot of vulnerabilities prior to your migration can lead to additional complexity once you’re in the cloud.
- Higher cost: It’s typically easier and cheaper to mitigate CVEs while they’re still in a known environment like your data center compared to the additional cost of remediating in a new, and somewhat unknown environment like the cloud.
So, we’ve established why you should remediate CVEs before migration to cloud, but what about the “how?” We know how painstaking it can be to address CVEs, especially at a large scale, due to the time and effort necessary to mitigate them. But keeping the following three essentials in mind will help teams create an effective CVE remediation practice at scale.
No. 1: Know What You Have
There are countless tools, including many open source options, for teams to gather important information about their data centers and the vulnerabilities within them. Here are some of the open source tools that we recommend to build a full understanding of the current state of your portfolio:
Open source scanning tools help to determine your starting point
Not only can these tools inform you of what kind of vulnerabilities you have, but they can also help you prioritize them based on factors such as risk, urgency and the amount of cost and time it will take to mitigate them.
No. 2: Take Action on Vulnerabilities with Intention
You’ll need to build a solid decision-making framework to inform what you need to address now versus later. For example, critical CVEs might exist in internal-facing applications that you can live with (provided you have tight network security), but the same critical CVE in a public-facing application should be addressed immediately. We’re not suggesting every single CVE needs to be fixed; we’re suggesting you make informed choices on which ones to address and when.
Now, the act of actually mitigating your list of CVEs is the most arduous step. Depending on the size of your organization and its existing vulnerability management strategy, you may have hundreds, if not thousands, of CVEs to address. Not to worry. Getting through these will prove valuable in the long run by protecting your organization and its data.
If your organization has not done a CVE overhaul in a long time, it’s likely that this step will take a while to accomplish, so you might need to get scrappy. Get your leadership’s support, find opportunities to collaborate with other teams on this and find resources to help your team patch these vulnerabilities routinely.
No. 3: Build Vulnerability Scanning into Every Step, Every Time
This step is critical: Build automation into your vulnerability management strategy. Automation is the most efficient way to scale and maintain your CVE mitigation strategy. Every team has a number of forces competing for their time. By incorporating automation into your workstream, you’ll be better able to take the guesswork out of which CVEs should be addressed and when, while also being able to focus on your day job (which is likely not just CVE patching).
CVEs are always evolving, so it’s important to constantly monitor for new vulnerabilities, and automation helps immensely with that process.
Ultimately, as tedious and painstaking as it can feel to address CVEs, we’ve seen firsthand how critical it can be to the security of your business. By having a solid understanding of what CVEs you have, building a strategy to mitigate them and folding automation into the mix, you’ll be in a much better position to scale your vulnerability management strategy with ease. Plus, once you no longer have vulnerabilities bogging you down, your cloud migration initiative will likely be much more successful.
To learn more about security best practices, check out a preview of the ebook “Securing Cloud Apps,” come and find us at RSA this week and catch Sumit Dhawan’s keynote about how infrastructure can help establish a new ground truth for today’s cyber professionals.
