Mistakes security vendors make in the cloud
A cautionary tale of how one security vendor went astray in the computing cloud, and what the channel can learn from it. When security experts sound the alarm about embracing cloud computing with little understanding of the risks, it’s usually a case where the expert — working for a vendor — is making a pitch for their employer’s products. That’s all well and good, but here’s the problem — some of them have trouble keeping their own side of the cloud clean. Nils Puhlmann, co-founder of the Cloud Security Alliance, revealed one example where a sizable security vendor made multiple mistakes in the cloud.
Here is a list of what NOT to do when securing the cloud.
MISTAKE 1: Updating the SaaS without telling customers
Customers using a particular version of the SaaS product were caught unaware when the vendor decided to roll out a new version through the cloud. It was done in a way where, at the moment of the upgrade, any new endpoint that was added to be managed automatically got the new version. Customers were not asked or notified, and were forced into a mixed-version environment as a result.
MISTAKE 2: Not offering a rollback to the last version
The problem with the first mistake is that customers are now faced with compatibility issues in their environment that can cause a freeze-up of essential IT functions, including those related to security. The natural course for the IT security practitioner is to uninstall the new but incompatible version, dust off the CD with the last version of the product, and re-install the version that has proven itself stable in that environment. But in the cloud it’s not always so simple, especially in this case, where the vendor offered no rollback option.
MISTAKE 3: Not offering a choice to select timing of an upgrade
Dealing with new versions of a software that prove incompatible is nothing new. It happens every month when Microsoft releases its security updates. But in most cases, IT has control over when an update is pushed out. Most channel partners run the updates through tests before deployment. But in this case, there was no control over the timing of upgrades in their environments, Puhlmann said.
MISTAKE 4: New versions ignore prior configurations
The third mistake was particularly problematic because the new version of the SaaS product proved buggy. For example, it disregarded whitelist and firewall settings programmed into the previous version, causing computers to suddenly bog down with pop-up warnings for a variety of commonly-used applications, including those built and maintained in-house.
MISTAKE 5: Not offering a safety valve
Had the vendor offered some sort of safety mechanism in its cloud configuration, customers could have at least limited the damage upon realizing a bug was mucking up the works, Puhlmann said. But as far as he could tell, there was no such mechanism.
What the channel can learn from this
Puhlmann does credit the vendor for its response to the mistakes he warned them about. They are now working to improve the process. For channel partners delving into the cloud who may have concerns about these things happening to them, his advice is simple: Ask a lot of questions before signing on the dotted line.
More mistakes to avoid
Puhlmann added: “You have to ensure things you did in the past, before the cloud, can still be done,” he said. “You have to know for sure that services managed in the cloud have the highest integrity, and that you will have choices over whether to receive an update and when the update is made.”