Problem solve Get help with specific problems with your technologies, process and projects.

SaaS, cloud computing vulnerability management: Choosing a provider

Cloud-based vulnerability scanning is gaining market share. Learn how to decide if these services are a good fit for you and how to choose a provider.

As the security industry slowly moves toward the adoption of managed security service providers, one particular area is gaining steam: vulnerability management delivered via the cloud as Software as a Service. Several vendors now offer cloud-based vulnerability scanning and remediation tools that are quickly gaining market share. In this tip, we'll examine whether cloud-based vulnerability management services are the right choice for your organization, provide criteria to help you select a vendor and discuss an alternative do-it-yourself approach to cloud scanning.

When you move to a cloud-based approach, you give up some level of control.

Are SaaS, cloud-based vulnerability management services right for you?

As you consider implementing a Software as a Service (SaaS) vulnerability management product or service, take the time to make sure you've developed and documented a clear business case for moving to the cloud. Your specific rationale may vary, but some of the common benefits that organizations cite include:

Cost savings -- Cloud-based approaches are sometimes able to provide you with lower direct costs by reducing your total expenditures and replacing your combined scanning hardware and software costs with an annual license fee. In almost every case, cloud services reduce your indirect costs by decreasing the amount of time your staff must spend installing and configuring the system.

Ease of updates -- In a SaaS approach, updates occur automatically. The vendor simply patches the product, normally on a predefined schedule, and all customers immediately gain access to bug fixes and feature enhancements simultaneously. Similarly, vulnerability signature updates happen in real time.

Additional perspective -- The combined use of cloud-based scanners and managed appliances results in added security information at your disposal. In addition to seeing the vulnerability picture from your own network, you can see the security profile that your systems expose to the Internet by including a perspective from scanners hosted in the provider's data center.

There is, however, a trade-off to consider: When you move to a cloud-based approach, you give up some level of control. You no longer have access to the underlying operating system and, most importantly, you likely have no control over the application of updates. There simply is no opting out of "enhancements" that may negatively affect your business processes.

When evaluating providers, first ensure the system offered is able to meet your basic business requirements at a reasonable cost. Pay attention to service-level agreements, particularly regarding uptime and the speed of zero-day signature availability. Also, spend some time carefully evaluating the reporting and remediation tracking capabilities of the system.

From the editor: More on cloud security

See more from Mike Chapple in his March 2013 special multimedia series on top-tier enterprise cloud computing security issues:

Information Security magazine cover story: Outsourcing security services in the enterprise: Where to begin

DIY cloud computing vulnerability scanning

If you're not ready to fully plunge into cloud-based vulnerability management, you still may wish to consider adding a cloud-based perspective to your scanning environment. Many vulnerability management system providers offer scanning nodes, either as a virtual appliance or software-only offering. Given the ease of creating virtual servers in an environment such as Amazon Web Services' EC2 cloud, you might want to deploy an additional scanner in the cloud. This scanner can then integrate directly with your existing management console to add the cloud perspective to your scan results.

Enterprises that haven't deployed any vulnerability scanning capability may also wish to look at free or low-cost approaches that can be built entirely in a cloud environment. For example, the open source vulnerability scanner OpenVAS can be easily set up in the cloud. If you're looking for more bells and whistles, consider Nessus; while it is no longer free, it offers its Professional Feed service for a $1,500 annual license fee.

Vulnerability management is a great way to dip your toes in the waters of cloud-based security services. You can get started with cloud-based vulnerability scanning with a fairly small initial investment and realize significant gains from the additional perspective and reduced management overhead offered by these systems.

About the author:
Mike Chapple, Ph. D., CISA, CISSP, is an IT security manager with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to, and serves as its resident expert on enterprise compliance, frameworks and standards for its Ask the Experts panel. He previously served as site expert on network security, is a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.

Dig Deeper on Cloud Security Services: Cloud-Based Vulnerability Scanning and Antivirus