So apparently the latest version of the Qualys Laws of Vulnerabilty Report has Qualys jumping to some pretty outrageous claims about how cloud-computing – invented by Qualys according to Courtot (insert cute smiley here) – can secure IT more effectively or allow people to not patch any more or some such nonsense (thanks to Hoff for the heads up).
Anyway so the logic flaw goes something like this ->
1. You in IT can’t effectively patch on time because you use tools like SMS/SCCM or Symantec/Altiris and they suck and you accept the suckiness that is traditional enterprise software…
In five years, the average time taken by companies to patch vulnerabilities had decreased by only one day, from 60 days to 59 days, at a time when the number of flaws and the speed at which they are being exploited has accelerated from weeks to, in some cases, days.
2. So according to Wolfgang cloud-computing would somehow fix this problem…
We believe that cloud security providers can be held to a higher standard in terms of security,” said Kandek. “Cloud vendors can come in and do a much better job.
Unlike corporate admins for whom patching was a sometimes complex burden, in a cloud environment, patching applications would be more technically predictable – the small risk of ‘breaking’ an application after patching it would be nearly removed, he said.
Cloud-computing sounds awesome!
Let’s see how this would work in the real world using a fictional company. An upwardly mobile 20 something company who fancies itself the next greatest thing to come onto the Biotech scene, or perhaps a straight-laced stodgy 80 year old manufacturing company with a 30,000 seat environment- again not terribly important but it helps paint the picture. A mix of windows desktops with 10% servers spread between Windows and *nix (maybe some Solaris, Linux, and a couple of AIX boxes) spread geographically across the globe with offices in London, Hong Kong, maybe even Bulgaria – who knows it’s not really that important. The company has a desire to centrally manage IT from somewhere on the East Coast, but then really, who wouldn’t desire that?
Anyway back to the 30,000 computing devices spread throughout the world chugging away, providing services and contributing to the companies bottom line. Yes the ones with the vulnerabilities and the poor patch processes and the crappy systems management tools from Microsoft and the vuln scanners scanning them (they totally use a SaaS compay for this though) and the endpoint security dramatically impacting performance (McAfee). Add a couple of CISSPs writing reports about how some Chinese/Russian/Brazilian hackers will breach the companies data and from there it is only a leaked memo away from the front page page 37 of the Wall St. Journal Iowa Tribune unless the company buys some DLP or encrypts everything or moves security to the cloud cause they read this report about how the cloud-computing companies can secure everything better. So many choices, so do they buy a bunch of junk and ineffectively manage it or just move it to the cloud? Oh, yeah the cloud is totally the way to go.
So the company bites and the CIO is all excited about this “cloud” thing and the CFO is already predicting huge cost-savings as they go through head count reduction scenarios (no more need for all those FTE’s).
Now rid of all that systems and security management software the company will no longer need to maintain the health or improve the security of the 30,000 computing devices – they’re all in the cloud now – profits begin to soar and the company is fast tracked to the top of that screaming bald-guys stock picks. Life is so freaking sweet in the cloud!
Uh-oh, reality comes knocking as the executives sit around the executive table, heads lowered wondering what the hell just happened: Wait you mean I still have to manage those computers? I don’t understand aren’t they in the cloud? No? I still have to patch Bob in accounting’s Windows machine? And the CEO’s laptop? What about that Unix box running our proprietary and so very highly prized intellectual property? You mean we didn’t even move that to the cloud? Then what the hell did we move to the cloud? Our what? Our HR web portal? WTF?