by: VMware Director, Cloud Application Security Colin Minihan
The traditional view of vulnerability management is mostly about patch management, which is only one element of a comprehensive cybersecurity program. New models of working offer both challenges and opportunities for taking a more holistic and effective approach to managing cyber security risks across a modern enterprise.
These new models reflect changes to the development and operation of software solutions, including moving to the cloud and DevOps models. With the cloud, we can’t rely on everything being within a perimeter where we can manage and patch servers with a dedicated operations team. In a DevOps world, things move more quickly, and we have less gates to rely on.
VMware has a long-established security development lifecycle which guides the creation of secure products and services. Technology underpins our business processes and we must monitor these technologies for updates that address known vulnerabilities.
However, as VMware solutions become more advanced alongside continued digital transformation and a cloud focus, vulnerability management must extend beyond a traditional patch management focus. Another challenge in the last decade is discovering vulnerabilities with an increasingly mobile workforce, many of whom use their own personal devices. To keep pace with rapid innovation, we leverage zero trust and mobile workforce solutions.
Discovery is Foundational
Arguably the best understood element of vulnerability management is the discovery process. The vulnerability management team uses a variety of discovery methods, ranging from hands-on penetration testing by our Red Team to automated scanning of the many layers of infrastructure. But before we can discover vulnerabilities on VMware systems, we must know what VMware systems exist.
Discovery is a relatively easy task to perform for data centers and on-premises systems. With the move to the cloud, along with the dynamic nature of DevOps, it means that systems live in many locations and change rapidly. To address this challenge, VMware centralizes the oversight of cloud environments and pulls the inventory of systems in real-time via APIs into multiple cloud providers. We then extend beyond infrastructure scans to review the configuration of cloud environments with CloudHealth® Secure State™.
Following the discovery of security vulnerabilities across a vast landscape of systems and devices, the next challenge is informing those who can address the risk.
Vulnerability Communication Requires Context
When informing relevant stakeholders of a discovered vulnerability, context is key. With hundreds of thousands of systems and devices, it is no small task to maintain metadata about the criticality of every asset and which people and teams will be involved in addressing security risk. While some companies might be able to inform stakeholders with tribal knowledge of the organization, we can only succeed at scale with automated context gathering and notification systems.
Mitigation of Remediation Exceptions
While we seek full remediation whenever possible, there are scenarios where only compensating controls,workarounds, or other mitigations are possible. VMware’s move to micro-segmentation and zero trust has significantly expanded these options. When a vendor announces a zero-day vulnerability on technology in use at VMware, it may introduce an unacceptable delay while waiting for the vendor to release a patch. Since zero trust architecture requires granular access control over resources, the security of accessing devices becomes an additional variable in allowing or denying access to corporate resources.
Dynamic Nature of Vulnerability Management
While we have spent a substantial amount of time and energy building our vulnerability management program, our work is never done. The growth and innovation of VMware, with its ever-advancing technical environment, makes our roles in vulnerability management incredibly exciting as it presents new challenges and opportunities for securing our systems.
Read Part Two of this blog where we cover the importance of communication and collaboration between the VMware IT vulnerability management team and other VMware business units for the efficient remediation of security vulnerabilities.
VMware on VMware blogs are written by IT subject matter experts sharing stories about our digital transformation using VMware products and services in a global production environment. Contact your sales rep or [email protected] to schedule a briefing on this topic. Visit the VMware on VMware microsite and follow us on Twitter.