The tempo of IT management has quickened. With Infrastructure-as-a-Service (IaaS) in particular, and cloud computing in general, the lifespan of typical IT assets is shrinking from years to days. The combination of software developers with network operations into one team, known as DevOps, has likewise shrunk the IT lifecycle. Given all of these variables, IT risk management programs that rely upon annual checks are falling woefully out-of-date.
IT risk management can be defined as the intersection of threats, assets, and vulnerabilities (r = t * a * v). IT risk management, therefore, consists of the disciplines of threat management, asset management, and vulnerability management. Threat management consists of identifying, assessing, and tracking the attackers. Asset management focuses on tracking all technology in the environment through the product lifecycle. Vulnerability management – the topic of this paper – tracks and addresses any asset weakness that threats may exploit.
Put differently, managing IT risk is about knowing who will attack you and how, what they will attack, and where you are vulnerable. All three disciplines must be automated and scaled to operate at the pace of IT. This white paper presents the basics of vulnerability management and highlights efficiencies that can be achieved through automating and maturing a VM program.