Government // Cloud computing
10:55 AM
Connect Directly

Cloud Providers Must Share Discovered Vulnerabilities

Government agencies must band together and insist in their contracts that cloud service providers share vulnerability information.

At what point does the cloud provider have an obligation to inform a customer agency of this potential vulnerability?

It is important for agency senior management to understand that when an assessment identifies a new risk, this risk did not just materialize when the report reached their desk. Rather, it has likely been in place for some time, and the agency has been unaware but still in a default acceptance posture.

This is similar to a homeowner discovering radon in a basement. While the health risk has always been there, the homeowner didn't know about it until it was tested. In both IT and health risks, the damage may have already been done. Finding the vulnerability and quickly determining appropriate mitigation actions are musts.

Part of the risk equation is probability. This is the likelihood of the threat exploiting the vulnerability. If the likelihood is very low, the risk drops. However, the longer a vulnerability is allowed to exist, the more time and opportunity a threat has to find and exploit it.

While the Department of Homeland Security and the General Services Administration are making progress in implementing continuous monitoring in the cloud, one area that demands immediate attention is vulnerability sharing. Should an agency be expected to wait months for public notice of a potential high-risk vulnerability when possible workarounds are available?

As written, the FedRAMP polices leave agencies in this exact situation. Until DHS and GSA can require sharing of vulnerability information in near-real-time, agencies will continue to be in the dark regarding their overall risk postures. An agency can outsource IT services but not risk or responsibility.

Agencies should ensure that sharing vulnerability information is addressed in the procurement review process and contractual agreements with cloud service providers. Additionally, organizations can take active steps to form collaborative groups of cloud service provider customers to express a common voice and common concern.

In Bruce Schneier's December 3, 2012, blog post, "Feudal Security," he describes cloud security as an experience in feudalism:

Feudalism provides security. Classical medieval feudalism depended on overlapping, complex, hierarchical relationships. There were oaths and obligations: a series of rights and privileges. A critical aspect of this system was protection: vassals would pledge their allegiance to a lord, and in return, that lord would protect them from harm.

In this new world of computing, we give up a certain amount of control, and in exchange we trust that our lords will both treat us well and protect us from harm. Not only will our software be continually updated with the newest and coolest functionality, but we trust it will happen without our being overtaxed by fees and required upgrades. We trust that our data and devices won't be exposed to hackers, criminals, and malware.

The Feudal Lords of Cloud have promised to protect agencies and keep them safe from harm, and it is time they be required to prove it continuously.

NIST's cyber security framework gives critical-infrastructure operators a new tool to assess readiness. But will operators put this voluntary framework to work? Read the Protecting Critical Infrastructure issue of InformationWeek Government today.

The authors are members of the (ISC)2 U.S. Government Advisory Board Executive Writers Bureau, which includes federal IT security experts from government and industry. The experts write anonymously through the Bureau so they can be more forthcoming with their analysis and ... View Full Bio

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ed Moyle
Ed Moyle,
User Rank: Apprentice
5/16/2014 | 8:26:36 AM
This is a bigger deal than you might think
So, from a cloud service provider perspective, this is a bigger deal than you might think.  I can tell you that there can be strong internal pressure to not disclose security issues to customers.  That includes explicit vulnerabilities, but also operational issues that prevent security controls from working at full utility (for example, configuration problems, etc.)  In fact, the pressure is strong enough that I used to use it as an interview question when hiring resources.  For example, at the first interview I would ask something like:

"Hypothetical scenario: you discover a configuration issue in a customer's managed IDS instance that prevents it from scanning all relevant traffic.  The customer is heavily regulated, has had a number of support issues recently and has gone on record that one more issue will cause them to take their business elsewhere.  The account management team advises you to not inform the customer until the issue is resolved, which the technical manager says will take 3 months. What's the best course of action?"

If their answer was anything other than some form of "suck it up and immediately inform the customer", I would (politely) end the interview and cross them off the list.  That said, I'm sure that not everyone at every CSP shares that same view.  
Charlie Babcock
Charlie Babcock,
User Rank: Author
5/13/2014 | 3:50:42 PM
Eastablish a central vulnerability reference
The idea of vulnerabilty sharing by cloud providers is a good one and spreads the cost of keeping up with the varous forms of assault. Just as disease outbreaks come to the attention of the Center for Disease Control, so should vulnerabilities be contained through some centralized system of sharing analysis and countermeasures.
User Rank: Author
5/13/2014 | 12:15:17 PM
Re: Feudalism
Stratustician, one compelling aspect of the FedRAMP cloud security authorization program is the role of 3PAOs - third party assessment organizations that providers must hire to assess/audit a service's security practives, processes. And because providers must have their FedRAMP authority renewed annually, there's less room to hide vulnerability incidents.
User Rank: Ninja
5/13/2014 | 12:04:28 PM
Re: Feudalism
You're right, until the power shifts from the provider being protected by the SLA to the customers who have enough influence to demand more from the service provider, we are still at the mercy of the providers themselves who determine the levels of security that these services entail.  Prior, with managed security, there was more at risk as these providers had to consistenly prove their results, with cloud, there is more room for abstraction when it comes to the security backend and so customers rarely have insight into the real vulnerabilities that exist.  Perhaps this will cause a shift to having providers partner with third-party managed security providers to prove security performance? I really do hope so.
User Rank: Apprentice
5/12/2014 | 8:37:11 PM
Interesting story.
User Rank: Author
5/12/2014 | 2:22:32 PM
Re: Feudalism
One of the big arguments in favor of well-run, established cloud service providers is the notion that customers' data are better protected through a central utility w/ top securitiy teams at the console, then when their data are spread out, and exposed to a wider array of threats, across multiple systems within an agency.   But as cloud providers become more commodity-oriented, and pricing pressures threated to role back some of that extra security expertise, customers may find their only leverage is to band together - in fuedal fashion - with other users to ensure they're getting the protection(s) they're paying for in their SLAs. 
User Rank: Ninja
5/12/2014 | 5:55:55 AM
Re: Feudalism
Yea, there's been an interesting power shift with the growth of the cloud - which is why many governments are simply building their own. However, I hope with government security fears over unlawful spying or viewing of secretive data, that more politicians will reconsider the way that domestic intelligence agencies have been spying on their own citizens in many countries. 
User Rank: Ninja
5/11/2014 | 1:10:18 PM
I have never thought about this example of cloud feudalism that Schneier describes. But it does in many ways describe the kind of mercy we are at with cloud providers. 

At the savings of paying for costly licenses and infrastructure fees, we are confronted with monthly fees and less control. Many IT shops don't like this. But if they want to, they can use their resources to build their own cloud architecture. The technology is available for those who don't like the feudal model. 
Gov Cloud: Executive Initiatives, Enterprise Experience
Gov Cloud: Executive Initiatives, Enterprise Experience
In this report, we'll examine the use of cloud services by government IT, including the requirements, executive initiatives and service qualifications, and auditing and procurement programs that make government cloud adoption unlike that in the private sector.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - August 20, 2014
CIOs need people who know the ins and outs of cloud software stacks and security, and, most of all, can break through cultural resistance.
Flash Poll
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.