Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Three Questions for Your Cloud Vulnerability Management Provider

Note:  Nessus Cloud is now a part of Tenable.io Vulnerability Management. To learn more about this application and its latest capabilities, visit the Tenable.io Vulnerability Management web page.


If your organization is like most, you’re likely using or considering cloud-hosted applications. If vulnerability management (VM) is one of those applications, we have a few questions you should ask potential vendors—including Tenable if you’re looking at Nessus Cloud. There are huge benefits to cloud, but it’s important that for whatever cloud applications you use, you’re getting the capabilities you need and that the application and your data are secure. Here are three important questions for security providers.

1-What are the unique strengths of your product?

Cloud-hosted applications have definite benefits. For example, they often require less maintenance because they can update automatically and you have little or no infrastructure to manage while running them. While these benefits are great, if the application doesn’t have the basic and/or advanced capabilities your organization needs, they really don’t matter. So focus many of your vulnerability management questions and discussions on basic capabilities like “What assets does the product scan?” And include more in-depth questions like:

  • How does your product handle internal and external scanning? Can it scan from both in-cloud and on-premises scanners?
  • Where are your external scanners deployed? (Ideally they should be close to your targets for faster/more efficient scanning.)
  • How does it manage credentials?
  • What scanning options are available (credentialed, non-credentials, agent-based, agent-less)?
  • Can it scan cloud infrastructure?
  • How does it prioritize vulnerabilities?
  • Does it scan for misconfigured systems? What guidelines does it use to identify misconfigurations?
  • How does it integrate with malware detection systems?
  • How does your product report back results?

Focus a big part of the conversation on capabilities and don’t assume every system will have all the capabilities you need

Vulnerability management is a big and broad area and depending on the needs of our organization and the goals of your program, these and other questions will make sense. Our advice is simply to focus a big part of the conversation on capabilities and don’t assume every system will have all the capabilities you need.

2-How, and how often, do you update your application?

One of the benefits of cloud applications (noted above) is that cloud applications can be automatically updated. It’s important to hear from your cloud vulnerability management vendor how this process happens and how you’ll get notified about updates.

You might drill into this topic from two perspectives:

  • Rapid response: When a major vulnerability is identified, how does the organization add that vulnerability to their solution? How quickly does this typically happen?
  • Business-as-usual: For normal day-to-day updates and operations, how often does the vendor update the product with new features, how quickly are new IT assets supported, and how long are ‘old’ IT assets supported?

Make sure your vulnerability management provider, regardless of whether they are a cloud-hosted solution or not, supports your environment

Depending on the makeup of your IT environment, it might be more important to you that a vendor support emerging areas like cloud infrastructures versus assets like legacy Unix servers or vice versa. Make sure your vulnerability management provider, regardless of whether they are a cloud-hosted solution or not, supports your environment.

3-How do you secure your application?

You could easily argue that you trust any vulnerability management solution with your data whether that solution is running in the cloud or on-premises, so this is a good topic for any VM vendor. But there are some unique things you could ask a cloud VM provider to understand how they keep their application and your data safe. This includes topics like:

  • How do you separate instances? How to you ensure that one customer doesn’t get access to an adjacent customer’s data?
  • Where do you store data? How do you encrypt it?
  • What is your Service Level Agreement for availability?
  • What do you do for redundancy? What is your disaster recovery (DR) plan if a disaster hits your data center?
  • What’s your disclosure policy if your application is breached?
  • How do you patch your application? How frequently do you patch it? What happens when you are doing maintenance – can I still access the system?

Many good organizations provide guidance for vendors and consumers of cloud infrastructure and applications. One example is the Cloud Security Alliance. Another is the Australian Signals Directorate, basically the Australian equivalent of the NSA. While the Australian Signals Directorate is government-centric, the group has great guidance on a variety of cyber security and cloud security topics and is worth checking out if you are considering moving any applications or processes to a cloud environment.

Ask tough questions to get a complete understanding of how they handle security in their cloud-hosted application

You can also ask what standards and certifications that cloud VM vendor has for their data center. For example, SSAE 16 is an important data center certification. But don’t rely on just one certification. Ask tough questions to get a complete understanding of how they handle security in their cloud-hosted application.

Want more on this topic?

If you’re interested in this topic, we covered these areas and much more in a recent webcast with Paul Asadoorian and Jack Daniel from Tenable, and John Kindervag from Forrester Research on What to Look for in a Cloud Vulnerability Management Solution. You can listen to the entire conversation via the on-demand recording.