As various forms of distributed computing, such as cloud computing, have come to dominate the computing landscape, security has become a bottleneck issue that currently prevents the complete migration of various capabilities and systems associated with sensitive data, such as financial data, to cloud-based infrastructures, and/or other distributive computing models. This is because any vulnerability in any of the often numerous virtual assets provided and/or utilized in a cloud-based infrastructure, such as operating systems, virtual machines and virtual server instances, connectivity, etc., represents a potential threat.
The types of vulnerabilities of concern varies widely from asset-to asset, application-to-application, development platform-to-development platform, and deployment platform-to-deployment platform. For instance, as an illustrative example, vulnerabilities can take the form of a software flaw, or software created in a known vulnerable version of a language. As another example, a vulnerability can be failure to comply with one or more security policies such as a lack of mandated/proper authentication, an unacceptable level of access, or other insufficient security measures, required to meet the security policies and/or parameters associated with the virtual asset, service, system, application, application development platform, and/or application deployment platform. Consequently, the number, and variety, of potential vulnerabilities can be overwhelming and many currently available vulnerability management and verification approaches lack the ability to track and control these potentially numerous vulnerabilities in any reasonably comprehensive, or even logical, manner.
As noted above, the situation is particularly problematic in cases where sensitive data, such as financial data, is being provided to, processed by, utilized by, and/or distributed by, the various virtual assets, systems, services, and applications within the cloud. This is because exploitation of vulnerabilities in a given virtual asset, system, service, or application can yield devastating results to the owners, even if the breach is an isolated occurrence and is of limited duration. That is to say, with many types of data, developing or deploying a remedy for a vulnerability after that vulnerability has been exploited is no solution at all because irreparable damage may have already been done.
Consequently, the current approaches to vulnerability management that typically involve addressing vulnerabilities on an ad-hoc basis as they arise, or in a simplistic, uncoordinated, static, and largely manual, manner are no longer acceptable. Indeed, in order for applications and systems that process sensitive data to fully migrate to a cloud-based infrastructure, security issues and vulnerabilities must be addressed in a proactive, anticipatory, and comprehensive manner, where the security and invulnerability to attack of virtual assets is verified well before any potential attack can possibly occur, e.g. before deployment and publishing in a production environment.
However, currently, this type of comprehensive approach to vulnerability management and verification with security management policies is largely unavailable. In addition, in the few cases where a comprehensive approach to vulnerability management and verification is attempted, the vulnerabilities are typically analyzed after deployment of the virtual assets and then each virtual asset is individually vulnerability scanned and/or verified in the production environment. Consequently, currently, vulnerability management and verification is prohibitively expensive and resource intensive, often requiring significant amounts of dedicated hardware, software, and human administrators that are still often utilized in an ad-hoc manner.
Despite the situation described above, vulnerability management currently consists largely of the uncoordinated deployment/application of vulnerability analysis to individual virtual assets and/or verification of compliance of individual virtual assets with security management policies. In addition, currently, when a vulnerability or lack of proper security is identified in an individual virtual asset, remedies are typically applied to each virtual asset individually.
As a result, the resources currently required to perform vulnerability and verification processes, and to remedy vulnerabilities are prohibitive and often provide an unacceptable level of data, system, service, and/or application security.