The famous movie “300” tells the story of king Leonidas and his 300 Spartan warriors – who withstood a monumental attack by the Persian empire during the battle of Thermopylae, even though they were significantly outnumbered. Despite the fact king Leonidas did not know much about enterprise-grade security, there are multiple decisions that he had made as a leader that would have made him a spectacular CISO, which avoids the “on-premise” battlefield in favor of the cloud.
When we first started brainstorming on the next-gen architecture concepts of Hysolate, one of the key building blocks was already clear to us – Hysolate must be fully managed from the cloud. No on-premise deployments, not an on-premise application or an on-premise appliance.
At the dawn of its days, the Hysolate management platform was solely an on-premise product. As we continued to grow, we were surprised to learn that many “conservative” companies, such as banks and other financial institutions, refused to have an on-premise deployment. Instead, they requested a fully managed SaaS version of our product – resulting in us maintaining multiple flavors of our management product. Apart from the overhead consideration, we took into account the advantages that our SaaS offering had in terms of security, manageability, and supportability – and encouraged customers to use it.
In this post, we’ll touch on three reasons you should seriously consider adopting cloud-managed IT products – especially for your security products.
Your on-premise products rely on open-source software
One of the famous tactics that allowed Leonidas and the out-numbered Spartans to block the Persian attack in the Battle of Thermopylae – was forcing the Persians to fight in a narrow pass – “The Hot Gates”, where their large numbers would not count. The Spartans tried to reduce the attack surface, so they could handle the attack more effectively. Leonidas knew that the Spartan attack strategy was based on their flawless battle structure – and did all that he could to make sure his counter attack had no vulnerabilities. If Leonidas were a CISO, he would strive to minimize the time it takes to patch vulnerabilities that threaten his organization.
As the open-source ecosystem continues to expand, enterprise products rely on open-source packages more and more. While the utilization of open-source software allows companies to develop better products faster, these products rely on hundreds of open-source packages, with each of them recursively dependent on many more, resulting in thousands of open-source packages bundled together into the product – even for the smallest software products out there.
Unsurprisingly, the number of disclosed open-source software vulnerabilities is on the rise as well. According to the annual report published by WhiteSource earlier this year, over 6,000 vulnerabilities were disclosed in 2019, up from just over 4,000 in 2018. The upside is that 85% of these vulnerabilities already have an available fix upon their disclosure. For SaaS products – these vulnerabilities can be monitored and delivered instantaneously with automatic tracking and patch management, while for on-premise products – your management product remains exposed for weeks or months from disclosure at best, or years at worst.
In the early days of Hysolate, we encountered some customers that preferred the on-premise variant of our management product. By choosing on-premise, these customers decided that they are responsible for upgrading their management server. But how quickly can a large organization upgrade all of their management products? By nature, on-premise products releases are less frequent than SaaS products, while the upgrade operation itself requires some form of manual labour, and often involves more than one employee in the organization. In practice, many IT systems in the organization end-up not being upgraded at all, unless some issue pops up.
Best Practices for a Vulnerability-free Management Product
To minimize the exposure window, you want to automate the upgrade process of your management product, leaving zero need for manual interaction of any employee in your organization. At Hysolate, this is the path we chose, while embracing the best security practices to ensure that our 3rd party packages are up to date, and patch them as soon as a vulnerability is disclosed. Here are some of the things you can do to create a vulnerability-free management product:
- Consider using a paid vulnerability scanning tool. If you’re using multiple types of packages in your project, or developing in multiple programming languages, you should definitely consider using a scanning tool such as WhiteSource, Synopsis, or Snyk. These tools often claim to have larger vulnerability databases and dedicated security research teams, but can often provide additional capabilities such as static code analysis.
- If you’re using a private GitHub repository – enable GitHub’s alerts for vulnerable dependencies. If you already embraced one of the recommendations mentioned above, you should already be covered. The only reason I recommend to enable this one as well – is the fact that it’s so easy. Within three mouse clicks, you will have GitHub scanning your dependencies for you. Note that public GitHub repositories have this feature enabled by default, but if your code is hosted in a private repository – then this tip becomes relevant.
You have a great security team, but you are not Amazon
Large cloud providers have Data Security as one of their main business goals – or as Leonidas would say – this is their profession, this is what they do. Even with an incredible, well-trained security team in your organization – the scale and budgets are simply not the same. The top cloud providers – such as Amazon AWS or Microsoft Azure, spend tremendous amounts of money, annually, on monitoring and improving their security stance. Their servers, platforms, and applications are proactively managed and protected by multiple teams of certified security experts.
These cloud providers maintain a cloud infrastructure that has a much larger magnitude than any single organization’s on-premise infrastructure. Their security tools, visibility, and practices are the heart of their business – and push them to be at the forefront of the security field.
If it’s on-premise, and we’ve got COVID-19, is it really on-premise?
In the new COVID-19 reality, even the most conservative organizations were forced to further open up their security-perimeter, allowing employees to access on-premise organizational assets from home – using either organizational laptops, or even worse – connecting from their own personal devices. Many organizations let their employees access their network via VPN, while having very little control over the end devices and home networks that are connecting to their network. The assumption that the security perimeter will protect your organizational crown jewels, is now more questionable than ever.
This is one of the main reasons why we came up with the new concept of IWaaS (Isolate Workspace as a Service). One of our primary use cases is to enable customers to deploy a sterile, isolated virtual environment on their employees’ personal devices – so that work-related activities are isolated from personal activities.
Summary (choose your battlefield)
In the early days of cloud computing, SaaS products were hastily rejected by large organizations because of security concerns. With mature cloud providers, and the way software development has changed in the past decade, it is now clearer than ever – cloud services can provide not only better service, but also better security.
To conclude, here is one last quote from our favorite Spartan:
The great leaders of ancient times knew that you should always choose your battlefield. While the battlefields have changed, great leaders have stayed the same.