How to deal with the unique patch upgrade management challenges of cloud computing

Is it true that patching upgrades to systems and applications in cloud computing is like doing the same thing in a typical production environment? Maybe that's not the answer. While the concept, importance, and usefulness of patch upgrades have not changed from the overall security and risk management plan, the details of patch upgrade management based on cloud computing are still very different from traditional internal patch management.

In this article, we will explore some of the challenges posed by patch upgrade management in the cloud computing environment and how to more effectively ensure that systems and applications can upgrade to the latest version of ideas.

Thinking on the management of patch upgrade based on cloud computing

The first consideration associated with patch upgrades in cloud computing is one of the old questions in all sorts of jobs in cloud computing: who should be responsible for this? Similar to the answers to many questions in cloud computing, the answer to this question depends on the delivery model of the cloud.

For Software as a service (SaaS) model, consumers completely lose control over the patch escalation process. In this case, if the cloud provider does not have a complete patch upgrade and configuration management process, then the negative impact on the consumer belt is conceivable. For example, in 2010, the blog platform WordPress experienced a serious business outage due to a bug patch upgrade operation. For all consumers using SaaS or platform-as-service (PaaS) services, the Cloud Security Alliance (CSA) recommends that their suppliers comply with their cloud control matrix (version 1.3), as follows:

Policies, procedures, and implementation mechanisms related to vulnerability and patch escalation should be developed to ensure timely assessment of vulnerabilities in applications, systems, and network devices, prioritize critical patches in a risk-based manner, and upgrade vendor-supplied security patches in a timely manner.

In a PAAs environment, enterprise users may have more control over patch upgrades and configurations, especially the components and development libraries of applications and development environments. Consolidate patch upgrades for all used platforms (such as ASP.net, PHP, Java, and so on) and applications running on the platform to existing test and QA cycles, while simultaneously (or within the same cycle) to patch upgrades as internal applications.

In a PAAs environment, the bigger challenge is management. At present, when implementing patch upgrades, infrastructure groups need to collaborate more closely with development groups and test groups than ever before. The vendor is still responsible for all patch upgrades to the back-end infrastructure, including the operating system and network components, and the same issues and concerns mentioned in the SaaS environment also apply to the pattern.

For infrastructure, service (IaaS) vendors, the maintenance team can install traditional patch upgrade management agents from vendors such as IBM and Microsoft. These agents can report to patches that are located in a central data center or even the same cloud infrastructure, depending on the specific deployment scenario. For cloud computing servers, there are new cloud-based patch upgrade management options, such as those from vendor scalextreme that are available for both internal and public cloud computing systems (the cloud system can be hosted by Amazon EC2 and other major cloud-computing vendors), This reduces the difficulty of evaluating and patching two systems in the same patch upgrade task. Other cloud-based patch upgrade management options also include the go for Fiberlink Communications Inc. 's MaaS360 and VMware companies.

Preparation for Patch upgrades: support from cloud computing providers

In addition to implementing the vendor model for your cloud-based patch upgrade management task, the Cloud Security Alliance's consistency Assessment program recommends that all potential cloud service providers (CSPs) address issues related to patch escalation and vulnerability management, as follows:

According to the industry best practice, do you regularly scan network layer vulnerabilities?

Do you periodically scan for application-level vulnerabilities as required by industry best practices?

Do you regularly scan the local operating system layer for the best practices in the industry?

If your user requests, will you provide them with the results of the vulnerability scan?

Do you have the ability to perform quick patch upgrades for all your computer devices, applications, and systems?

If your users ask, will you provide them with a risk-based system patch upgrade schedule?

Ultimately, the support that companies seek from cloud computing providers should be some of the adjustments to their internal patch-escalation management practices and standards. For standard operating systems such as Windows and Linux, the key factors to consider include the level of openness (deployment of the system), criticality (the importance of the system), and the importance of the patch (the extent to which the system vulnerability would be compromised if no patch escalation was made). Relatively open important systems should be carried out as soon as possible all key patch upgrades, the proposal is completed within a few days. While supporting vendors may not disclose all of their policies and procedures for patch escalation management and change control, they should be able to provide as much detail information and assurance as possible to show that they are doing their work.

Ready for a new patch upgrade

Patching upgrades in a cloud computing environment poses new challenges for both the IaaS and PAAs environments, primarily collaboration and configuration control. Although all vendors have formally passed the internal patch upgrade and vulnerability management control assessment, at the same time they can provide a minimum of independent certification of controls (such as a Ssae 16 report), but auditing and evaluating cloud computing providers in PAAs and SaaS environments is proving problematic, While emerging new products make it easier to implement patch upgrades across internal and external systems, while a localized patch upgrade library and/or management platform in the same cloud environment is more appropriate, most organizations may still follow the tools used in IaaS deployments.

(Responsible editor: The good of the Legacy)