Government // Cloud computing
Commentary
5/9/2014
10:55 AM
50%
50%

Cloud Providers Must Share Discovered Vulnerabilities

Government agencies must band together and insist in their contracts that cloud service providers share vulnerability information.

Government agencies that rely upon cloud service providers have to trust that cloud providers will protect their data or services from risk and harm. In a perfect world, cloud providers would have a complete understanding of the unique missions -- and risks -- that agencies face.

In reality, cloud service operators tend to provide a "one size fits all" approach to services that often overlooks specific or unique mission risks. As a result, government agencies must ultimately accept responsibility for ensuring that cloud providers offer the appropriate amount of protection to manage risk. It also requires agencies to directly address some fundamental questions regarding risk.

According to NIST Special Publication 800-30, "Guide for Conducting Risk Assessments," risk is a function of threats that can exploit vulnerabilities that in turn can lead to an undesirable impact to the organization. There are three aspects of this equation (threats, vulnerabilities, and impact), and agencies must consider all of them to understand ongoing risk in their cloud environments.

[Federal agencies have until June 5 to certify their cloud systems. Here's what will happen if they miss the deadline: FedRAMP Deadline Looms For Agencies, Cloud Providers.]

Agencies can ascertain potential threats using information provided by NIST, US-CERT, the organization's security operations center (SOC), or several other industry threat feeds. They can then determine the potential impact of these threats, using NIST's Federal Information Processing Standards Publication 199 and the guidance provided by NIST SP 800-60.

However, where and when do agencies gain an understanding of vulnerabilities in a cloud provider's offering?

In the past, agencies would conduct vulnerability scans, penetration tests, and security assessments as part of the FISMA authorization and continuous monitoring processes. The agency controlled or owned the infrastructure and could therefore perform testing at its leisure. This led to volumes of vulnerability information in the form of scanner output and assessment findings. These results were fed into the risk management equation along with impacts and threats to determine an organization's risk posture.

Image: Flickr Community Commons - FutUndBeidl
Image: Flickr Community Commons - FutUndBeidl

With cloud computing, vulnerability information can be difficult, if not impossible, to thoroughly, regularly, and accurately obtain.

The early CONOPS -- the Concept of Operations for FedRAMP (the Federal Risk and Assessment Management Program for cloud security) -- required agencies to negotiate the exchange of vulnerability information with the cloud provider. The most recent version of the CONOPS and the Continuous Monitoring and Strategy Guide require agencies to delineate between agency controls and cloud service provider controls for reporting.

While incident sharing is covered extensively, vulnerability-information sharing is barely addressed; it amounts to an annual self-attestation event with monthly scanning reports sent to the FedRAMP information system security officer. No mention is made of sharing information in near real-time with the customer agencies that will experience the negative impact of an exploited vulnerability. Additionally, vulnerability information discovered outside of assessments and scanning is not addressed whatsoever.

Vulnerability scanning and FISMA assessments are not the only way cloud providers receive vulnerability information. Security researchers are constantly testing cloud providers' capabilities.

When agencies move to a cloud provider, they often sacrifice any sense of a staged or development environment because most cloud providers are production only. Therefore, researchers and engineers are often left to test on the production environment. Sometimes they discover massive vulnerabilities, which can lead to administrative-like access to the cloud provider systems.

Ethical researchers will report the vulnerability to the cloud service provider for confirmation and remediation. Often they will provide a proof of concept as part of the submission. A question that often remains unaddressed is:

Next Page

The authors are members of the (ISC)2 U.S. Government Advisory Board Executive Writers Bureau, which includes federal IT security experts from government and industry. The experts write anonymously through the Bureau so they can be more forthcoming with their analysis and ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ed Moyle
100%
0%
Ed Moyle,
User Rank: Apprentice
5/16/2014 | 8:26:36 AM
This is a bigger deal than you might think
So, from a cloud service provider perspective, this is a bigger deal than you might think.  I can tell you that there can be strong internal pressure to not disclose security issues to customers.  That includes explicit vulnerabilities, but also operational issues that prevent security controls from working at full utility (for example, configuration problems, etc.)  In fact, the pressure is strong enough that I used to use it as an interview question when hiring resources.  For example, at the first interview I would ask something like:

"Hypothetical scenario: you discover a configuration issue in a customer's managed IDS instance that prevents it from scanning all relevant traffic.  The customer is heavily regulated, has had a number of support issues recently and has gone on record that one more issue will cause them to take their business elsewhere.  The account management team advises you to not inform the customer until the issue is resolved, which the technical manager says will take 3 months. What's the best course of action?"


If their answer was anything other than some form of "suck it up and immediately inform the customer", I would (politely) end the interview and cross them off the list.  That said, I'm sure that not everyone at every CSP shares that same view.  
Charlie Babcock
100%
0%
Charlie Babcock,
User Rank: Author
5/13/2014 | 3:50:42 PM
Eastablish a central vulnerability reference
The idea of vulnerabilty sharing by cloud providers is a good one and spreads the cost of keeping up with the varous forms of assault. Just as disease outbreaks come to the attention of the Center for Disease Control, so should vulnerabilities be contained through some centralized system of sharing analysis and countermeasures.
WKash
100%
0%
WKash,
User Rank: Author
5/13/2014 | 12:15:17 PM
Re: Feudalism
Stratustician, one compelling aspect of the FedRAMP cloud security authorization program is the role of 3PAOs - third party assessment organizations that providers must hire to assess/audit a service's security practives, processes. And because providers must have their FedRAMP authority renewed annually, there's less room to hide vulnerability incidents.
Stratustician
100%
0%
Stratustician,
User Rank: Ninja
5/13/2014 | 12:04:28 PM
Re: Feudalism
You're right, until the power shifts from the provider being protected by the SLA to the customers who have enough influence to demand more from the service provider, we are still at the mercy of the providers themselves who determine the levels of security that these services entail.  Prior, with managed security, there was more at risk as these providers had to consistenly prove their results, with cloud, there is more room for abstraction when it comes to the security backend and so customers rarely have insight into the real vulnerabilities that exist.  Perhaps this will cause a shift to having providers partner with third-party managed security providers to prove security performance? I really do hope so.
rfoeckl
50%
50%
rfoeckl,
User Rank: Apprentice
5/12/2014 | 8:37:11 PM
Story
Interesting story.
WKash
100%
0%
WKash,
User Rank: Author
5/12/2014 | 2:22:32 PM
Re: Feudalism
One of the big arguments in favor of well-run, established cloud service providers is the notion that customers' data are better protected through a central utility w/ top securitiy teams at the console, then when their data are spread out, and exposed to a wider array of threats, across multiple systems within an agency.   But as cloud providers become more commodity-oriented, and pricing pressures threated to role back some of that extra security expertise, customers may find their only leverage is to band together - in fuedal fashion - with other users to ensure they're getting the protection(s) they're paying for in their SLAs. 
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
5/12/2014 | 5:55:55 AM
Re: Feudalism
Yea, there's been an interesting power shift with the growth of the cloud - which is why many governments are simply building their own. However, I hope with government security fears over unlawful spying or viewing of secretive data, that more politicians will reconsider the way that domestic intelligence agencies have been spying on their own citizens in many countries. 
danielcawrey
100%
0%
danielcawrey,
User Rank: Ninja
5/11/2014 | 1:10:18 PM
Feudalism
I have never thought about this example of cloud feudalism that Schneier describes. But it does in many ways describe the kind of mercy we are at with cloud providers. 

At the savings of paying for costly licenses and infrastructure fees, we are confronted with monthly fees and less control. Many IT shops don't like this. But if they want to, they can use their resources to build their own cloud architecture. The technology is available for those who don't like the feudal model. 
Gov Cloud: Executive Initiatives, Enterprise Experience
Gov Cloud: Executive Initiatives, Enterprise Experience
In this report, we'll examine the use of cloud services by government IT, including the requirements, executive initiatives and service qualifications, and auditing and procurement programs that make government cloud adoption unlike that in the private sector.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Nov. 10, 2014
Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Listen Now This InformationWeek
Join us for a roundup of the top stories on InformationWeek.com for the week of November 16, 2014.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.