Vulnerability management is the process of identifying, classifying, remediating, and mitigating vulnerabilities, especially in software and firmware. Vulnerabilities are found in every IT asset that's developed & it has to be identified at the early stages of development & remediated. Vulnerability management is integral to computer security and network security. The so-called INTERNET - a massive collection of interconnected computers has many discovered & undiscovered vulnerabilities at multiple layers.
Cloud operates at the soft layer & its consumed via internet which makes it have a direct impact on any implications to software & Internet.
In a public IaaS environment, businesses don't get control over the hypervisor because it's a multi-tenant environment. Without hypervisor control, security needs to be deployed as agent-based protection on the VM-level, creating self-defending VMs that stay secure in the shared infrastructure and that help maintain VM isolation. Although the agents put more of a burden on the host, the economies of scale in a public cloud compensate, and there are additional cost benefits with CAPEX savings and a pay-per-use approach.
Since Cloud computing operates at the soft layer & thats where its being effectively consumed, its more critical to identify the dependency vulnerabilities & remediate them in a timely manner.
Though vulnerabilities can occur in multiple layers, lets discuss about some key vulnerabilities in 2014 that had impact on cloud computing services & consumers.
Hearbleed vulnerability at entry point or point of consumption of web service which is the responsibility of the consumer & service provider at different layers.ShellShock vulnerability at the operating system level which is the responsibility of the consumer.
Xen vulnerability at the hypervisor layer which is the responsibility of the service provider.By Oct 2014 Security researchers have discovered vulnerability in SSL 3.0 that allows attackers to decrypt encrypted connections to websites. This issue affecting SSLv3, known as POODLE or CVE-2014-3566. This is the responsibility of the consumer.