Page 1040 - Cloud computing: From paradigm to operation
P. 1040
7 Security
8.7 Patch upgrade
8.7.1 Responsibilities
CSPs should optimize the patch management process of the cloud platform to reduce potential risks caused
by vulnerabilities, and protect the stable operation of cloud platforms and services.
In cloud computing, the management of patches should be corporately implemented between CSPs and
CSCs.
1) Responsibilities of CSP:
• Following the vulnerability releases of mirror operating systems and timely finding the latest
patches;
• Testing security and adaptability of the patches;
• Updating the patch of the mirror operating system and creating the latest image files;
• Informing and helping CSCs to finish the patch update, and ensuring that the same vulnerability
will not exist;
• Implementing the effect test of these latest image files by creating a new virtual machine.
2) Responsibilities of CSC:
• Helping CSPs follow the vulnerability releases and finding the latest patches;
• Timely updating the virtual machine patches according to the information from CSPs.
Depending on the service mode of cloud computing, such as IaaS, PaaS and SaaS, CSP is only responsible for
the resource controlled by itself, and so does CSC. For IaaS, CSPs should be responsible for the patch upgrade
of the cloud computing infrastructure, and CSCs of the guest OS, application software and so on, which are
controlled by CSCs.
8.7.2 Process of upgrading security patch
The components of the cloud platform that need patching include virtualization software, operating systems,
network equipment, security equipment, database servers, management terminals, and other components
of the cloud platform. The closed-loop process of patch upgrade involves four stages as shown below, which
could help CSPs ensure the best timeliness on patching of their cloud platform.
1) Patch collect
CSPs should collect patch information from the vendor's official patch update website, use the automatic
patch updating tools released by the vendor, or through other means to guarantee the integrity of the
patches' requirements. CSPs should make an analysis of the patches collected, seek and record the
vulnerabilities of the existing systems and applications, evaluate the potential effects and risks of patching
and to determine the urgency and importance of the patches.
2) Patch test
CSPs should start a patch test to check the security, compatibility and stability of the patches. They should
establish a test environment to emulate the target platform or systems before the patching stage. After testing,
a report should be generated, which could suggest whether the patches should be released or not. The test
report also provides detailed technical guidelines for patching steps and the program of rollback. It should
provide a full description of the patches to help the patching engineers understand the functions and operations
of the patch, the effects on the systems and applications, such as the problems generated by the patch, the
affected systems, the affected files, whether the system or application should be reloaded or not, etc.
3) Patch update
CSPs should make an operation plan for patch update which includes the detailed operation steps according
to the test report of the patch. An emergency plan should also be formulated which includes system and data
backup, application switching, patch release timing control, patch uninstall and system rollback, in case of
patch failure. For the large-scale patch release, CSPs should call for technical support from the vendors in
advance to improve the emergency treatment capability upon unexpected situations.
1032
