One of the more recent topics around cloud and security to garner media attention is around the risks associated with inadequate patching policies as they relate to virtual machines. I know most people are thinking “Endpoint? Really? Isn’t that a simple thing to take care of in any environment?”, but the reality is that there are still nuances that are part of virtual and cloud environments that add a layer of complexity that a lot of IT professionals might not think of simply because they haven’t had to think in such terms yet. In particular, the notion of endpoint tagging as it relates to virtual snapshots or moving VMs is one of those instances.
If you have a virtual environment that uses snapshots or moves VMs between different servers, tagging the VMs from an endpoint just makes sense. It is common to remember that endpoint is important in live environments that are being used on a regular basis, but what happens when you forget to apply consistent, automated policies to all VMs?
Let’s take snapshots for example. It is critical for any environment to ensure that you approach vulnerabilities from a proactive point of view. Patching is a necessary evil, and sadly is a very reactive practice. This is why we have things like “Super Tuesday” to dedicate time to patching the latest security holes. But what is during the latest patching event, you bring your entire up to par and caught up, but something happens (absolutely unrelated to the patching) that causes a glitch in one of the VMs. The most common practice is to fire up a previous snapshot to bring the system back online. However, what if the snapshot was taken before the patch was applied? If you don’t ensure that all VMs, including the snapshot, is tagged to check for compliance, you’ve just potentially introduced a threat into you otherwise patched environment. You’ve created a hole in your environment, albeit unintentionally, that causes conflict with your otherwise compliant infrastructure.
Now what if you decide to move that same VM (or another VM) to another location without the proper controls in it? Any vulnerabilities will potentially carry over to the new environment, introducing risk. While many enterprises have strict patching processes in place, in a public cloud environment, you also need to assume that your neighbours might not.
The best way to protect your environment against these types of things is to really ensure that you have an automated endpoint process in place. Many of the latest endpoint solutions can do this, most notably TrendMicro with their agentless endpoint security offering. But regardless of which solution you use, it is important that you keep these things in mind when updating your security processes to include protection for virtual environments.