I was on my way to a lunch appointment when I started thinking of the headache of managing patching in the cloud. More importantly how would you ensure that your template server that is used to clone for new servers is current?
To resolve this, I’d love to see a cloud provider offer the ability to patch the dark VM on disk and if you have a local cloud, say using vmWare, do the same thing to your VM on disk. After all, there’s an exploit to go directly to a VM image, why not a program that will scan that disk image?
this article by Chris Brenton from the CloudPassage BLOG. 1) I didn’t realize how out of date the patch levels are for Windows machines at AWS (2 years?) and Linux. 2) According to Bryan, enStratus and Rightscale could help keep your deployments consistent. I’m sure there are other methods to handle consistent release of patches, just don’t forget to design for this. No matter what, you need to develop a process or have tools that ensure that your gold image is also patched.
There are some other good articles on the CloudPassage BLOG. There’s a good one that runs you through the “virtual firewall” design issues. Their solution was cheap, us a local firewall that comes with the OS (iptables for Linux for example). Guess what, CloudPassage has a nice tool that I’m reviewing right now that helps you keep your Linux and Windows local firewalls current and consistent. Stay tuned, it will be published in the next day or so.
References & Related
- 10 Things My Mom Didn’t Warn Me About the Cloud (CloudPassage Blog)
- Challenges & Risks of Implementing Cloud Computing (Cloudrant)
- Cloud Servers: New Risk Considerations (Cloudrant)
- Comparing Local to Cloud Security (Cloudrant)
- Chris Claborne