During SOC readiness assessments, we are often asked about the key controls surrounding the security of assets in the cloud. Cloud patch management is a critical part of maintaining security, and the controls around this process will be reviewed in any cloud computing audit, like a SOC report. This article will provide guidance on creating an effective cloud patch management program. As various areas of the cloud patch management program are explored, this article will note how they relate to specific controls and tests performed during a SOC examination.
Inventory – Taking Stock of Assets in the Cloud
Creating a comprehensive list of the assets an organization has in the cloud has to occur before identifying vulnerabilities and performing patching.
Critical for an Effective Cloud Patch Management Program & SOC Compliance…
The first step in effectively securing systems is understanding the resources residing in the cloud. This is an essential step because knowing what assets exist is necessary to implement proper security measures. Inventory is not only key for a patch management program, it provides foundations for evaluating risk, incident response and business continuity plans, monitoring programs, and access management – all of which are fundamentals in the controls reviewed for a SOC 2 report for all Trust Services Criteria.
What About the Assets?
In order to set up an effective patch management program, the inventory listing should include the following pieces of information about each asset:
- Type of asset (e.g., virtual machine, database, storage bucket).
- Person, team, or vendor responsible for managing the asset.
- Operating System/Platform running on the asset.
- Software and Applications running on the asset.
- Current patch level or version of the asset’s operating system, software, and applications.
- Criticality of the asset to the organization’s operations and security posture, including consideration of the type or classification of data that could be residing in the asset.
Do Businesses that Outsource Cloud Hosting Have to Have a Patch Management Program?
When looking at assets, a final consideration is whether any third party is responsible for patching cloud servers. Cloud hosting service providers can be fully responsible for patching, provide automated patching tools, or leave patching entirely up to the customer. Reading the provider’s service agreement is key to fully understanding the services and delineation of responsibility. Reviewing their SOC report is key to understanding if their patch management program is meeting Trust Services Criteria, and if the CUECs (Complementary User Entity Controls) describe the customer’s responsibility in the patch management process.
How to Identify Vulnerabilities
Now that there is a list of assets the business is responsible for, it is time to identify security vulnerabilities that may be present. This step will require decisions on resource use, as vulnerability identification is an ongoing task.
Information Is Available for DIY
With some systems, like Windows, version information is readily available on the device in system settings and vulnerabilities are published by Microsoft. This is a reliable way to identify vulnerabilities, but may not be scalable. Another common method for identifying known vulnerabilities is the National Vulnerability Database, a database run by the National Institute of Standards and Technology (NIST) that catalogs every known software vulnerability (known as a Common Vulnerability and Exposure, or CVE). This database requires a resource familiar (or one who is able to become familiar) with the NVD’s software package naming conventions, which is not initially intuitive.
Vulnerability Scanning Tools Are Available to Reduce Manual Resource Use
A simple Google search of “vulnerability scanning tools” brings up many products and articles comparing various tools. Factors to consider beyond cost could be the reporting output, organizational compliance requirements, continuous or periodic scanning, and whether the product incorporates links to vendor updates to remediate the vulnerability.
Applying the Patches
Once vulnerabilities are identified, security updates can be applied to address them.
Policies & Procedures: Good for the Patch Management Team, Good for the SOC Report
Documenting the policies and procedures will help the team managing the security of the cloud assets prioritize their patching efforts. Providing written guidance to the team also is a key control auditors look for during a SOC audit. The following are recommendations for what to include in cloud patch management policies and procedures.
- A process for updating and maintaining inventory listing.
- How to assess the severity and impact of each vulnerability.
- Once assessed, which vulnerabilities should be addressed first?
- How soon are vulnerabilities required to be patched?
- Testing requirements for patches.
- Deployment and rollback procedures.
- Validation or verification steps after patches have been applied.
- How to document the steps taken to patch a vulnerability.
- Roles and responsibilities for each step in the process.
- Any monitoring tasks to be performed when vendors are responsible for patching cloud assets.
Execute the Procedures for Security – Documents for Auditors
With a comprehensive set of patch management policies and procedures in place, the last thing left to do is follow them and document the actions. Identifying, testing, applying, and verifying patches as vulnerabilities arise greatly reduces the risks of security breaches and data loss. In order for an auditor to verify these controls are operating as designed in the policies and procedures, there must be documented evidence that the steps were followed as patches were applied. Ticketing systems provide an easy way to document the steps followed, who performed them, when they were performed, and helpful information regarding the patch. And, it’s not just for auditors – audit trails ensure patching procedures can be repeated efficiently in the future, provide insight if patches cause unintended consequences, and are beneficial for new staff or changes in resources.
Reviewing the Cloud Patch Management Program
Inventory listings and patch management policies and procedures should be periodically reviewed – another key control contributing to meeting SOC 2 security criteria. Changes in the business environment, changes in the cloud environment, changes in the risk assessment, and changes in tools and resources could all affect the inventory in the cloud and/or the process for patch management. These changes need to be reflected in the inventory listing and the policies and procedures. In addition, SOC reports for any cloud vendors who are responsible for patching need to be reviewed annually. Auditors will request evidence that these documents are periodically reviewed by the appropriate level of management.
Summary
Linford and Company specializes in several forms of audits that review cloud patch management controls such as SOC 1 & SOC 2 reporting, HITRUST, PCI, and FedRAMP.
If you are interested in learning more about the many audit services provided by Linford & Co, please feel free to contact us.
Britney Oswald specializes in SOC reporting and has eight years of experience performing IT and controls audits as both an internal and external auditor. In addition, she has experience as a Financial Controller implementing systems and processes within growing businesses. Her favorite part of the job is helping clients implement controls that are right-sized for their organization.