How To Prevent Hosted Cloud Services from Increasing Patch Vulnerability

Implementing hosted cloud services into one’s enterprise is a huge win for any business, especially those in the data-driven financial sector. However, Champion often sees a key caveat to hosted cloud service migrations: These efforts by and large do not take into account the level of patching the hosted service is running on, especially when the service is shared across multiple businesses with differing service requirements. When the shared hosted service is unpatched, it leaves itself in an elevated risk of exploitation.

Once you have identified that a hosted service is unpatched, it is time to take action. What I recommend to financial clients is the implementation of an all-encompassing tool that goes beyond simply identifying a vulnerable, unpatched cloud host. By using a more complex tool, you will be able to analyze and take immediate and automatic action when a vulnerability due to missing patches is identified via continuous monitoring. For this task, I turn to BigFix.

Monitoring Hosted Services

BigFix covers all of the basics: monitoring, identifying and analyzing, and taking actions based on what the first two steps find. The first question that people ask me is, “How is this possible, given the unlikelihood that a shared, hosted application will have or allow us to run the BigFix agent on hosted application servers?” The beauty of BigFix is that it can monitor both agented and non-agented systems, whether or not they are hard wired on an organization’s network, over VPN, or if they are cloud-based devices. This means that any devices an organization wants to include within its patch management security scope will be subjected to continuous policy monitoring by BigFix to ensure that all devices meet specified compliance levels.

For those of you in the regulatory-rich financial industry, this is especially important. The clients for whom I have integrated a BigFix patch management environment have shown marked improvements in maintaining the patching side of established security postures. Adding more to the richness of BigFix patch management, the out-of-box reporting of compliance status is provided in real-time. These reports are easily viewed and illustrated in a robust, web-based dashboard, and can be quickly adjusted to include historical data. I am personally a fan of the historical data reporting, as it is a great aid in holding cloud service hosts responsible for correcting any vulnerabilities BigFix detects which fall outside of an organization’s allowed security policies.

Identifying And Analyzing Detected Vulnerabilities

Once BigFix patch management monitoring has been set up and is running, most of the heavy lifting has been completed. At this point a business is seeing every missing patch that a hosted application needs, and has the documentation to go along with it thanks to the previously mentioned BigFix dashboard and reporting capabilities. But sometimes this isn’t quite enough, especially for those of you in the financial industry who need to adhere to certain PCI requirements.

Time and time again, I have watched system administrators chase down vulnerabilities that do not apply to their systems, especially in terms of hosted applications. BigFix is geared to prevent administrators from chasing ghosts in the cloud by automatically analyzing the statuses of the devices being monitored by using IBM’s Fixlet® technology, which works to reduce the number of false positives. This greatly improves patching remediation response times throughout an organization, and makes vulnerability remediation an efficient and automated process.

Additionally, BigFix can automatically escalate or de-escalate pending patches based on the rules that are set. This allows a financial institution’s IT security staff to quickly bring to a close any regulatory violating vulnerability incident while the entire process is monitored via closed loop verification. And, as vulnerability identification and analysis takes place on the device itself, any patching of vulnerabilities will have a very limited impact on an organization’s network bandwidth.

BigFix Is The Ultimate Self-Starter

The really big win for using BigFix for hosted cloud vulnerability detection and patch management comes in its ability to resolve issues in real-time without the need to await a response from an administrator. This means that any vulnerability detected from managed, unmanaged or hosted environments will be remediated and will generate alerts and reporting of all activities, including notifications of when remediations have successfully been completed and validated.

BigFix offers a central point from which organizations ensure all internal endpoints—as well as cloud-based devices and applications—remain up to date in regards to patching provides a bonus for businesses in the financial sector, as well as for others needing to comply with PCI requirements.

Take Control Of Hosted Application Vulnerabilities

In utilizing BigFix as a central, one–stop tool for patching detected vulnerabilities, financial organizations ensure security compliance of internal devices as well as hosted cloud applications. Champion will guide financial institutions through this process so that your business can move into the shared services arena with ease.


IBM and SAP's S/4HANA are Transforming How Enterprise Businesses Function


Close IoT Security Gaps with Windows 10’s UEFI